WebCheckTools Team May 15, 2026 5 min read

DMARC Explained: Stop Email Spoofing & Protect Your Domain Reputation

what DMARC is, how it works with SPF and DKIM, and how to publish a DMARC record to prevent email impersonation.

What Is DMARC?

DMARC (Domain‑based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on SPF and DKIM. It allows domain owners to publish a policy in DNS that tells receiving mail servers how to handle emails that fail SPF or DKIM checks. Additionally, DMARC provides reporting so you can see who is sending emails from your domain.

Without DMARC, spammers can spoof your domain even if you have SPF and DKIM. DMARC closes that loophole by enforcing a action: do nothing (monitor), quarantine (send to spam), or reject (bounce).

Why DMARC Is Essential

  • Prevents domain spoofing – stops attackers from using your domain in phishing emails.
  • Improves email deliverability – major providers (Gmail, Outlook, Yahoo) check DMARC. A proper policy increases inbox placement.
  • Provides visibility – receive daily/weekly reports showing all sources sending email as your domain.
  • Required for BIMI – to display your brand logo in supported email clients, you need DMARC enforcement (p=quarantine or reject).

How DMARC Works (SPF + DKIM Alignment)

DMARC checks two things:

  1. SPF alignment: The domain in the “From” address must match the domain in the SPF-passing Return‑Path (or a relaxed subdomain).
  2. DKIM alignment: The domain in the “From” address must match the domain in the DKIM signature’s d= field (or a relaxed subdomain).

If at least one of these passes and aligns, the email passes DMARC. Otherwise, the receiver applies your DMARC policy.

The Three DMARC Policies

  • p=none (monitor only): No action is taken; reports are sent. Use this first to see your email streams without blocking legitimate mail.
  • p=quarantine: Messages that fail DMARC are sent to the spam folder (or marked suspicious).
  • p=reject: Messages that fail DMARC are rejected outright (bounced). This provides full protection but requires confidence that all legitimate senders are authenticated.

How to Create a DMARC Record

A DMARC record is a TXT record published at _dmarc.yourdomain.com. Example:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensic@example.com; pct=100; aspf=r; adkim=r;
  • v=DMARC1 – version (required).
  • p=quarantine – policy (none / quarantine / reject).
  • rua=mailto:... – aggregate report destination (daily XML reports).
  • ruf=mailto:... – forensic (failure) reports (optional).
  • pct=100 – percentage of messages subject to the policy (start with 100).
  • aspf=r – SPF alignment mode (r = relaxed, s = strict).
  • adkim=r – DKIM alignment mode.

How to Check Your DMARC Record

Use our free DNS Checker Tool to verify your DMARC TXT record:

👉 Check DMARC Record for Any Domain

Select “TXT” record type and query _dmarc.yourdomain.com. The tool will show if the record exists and its syntax. You can also use command line: dig TXT _dmarc.example.com.

Rolling Out DMARC Safely (Step by Step)

  1. Start with p=none – publish a record with p=none and add rua=mailto:your@email.com. Wait a week to collect reports.
  2. Analyze reports – identify all legitimate IPs that send email for your domain (ESP, transactional services). Ensure they have SPF or DKIM set up correctly.
  3. Fix any missing sources – add them to SPF or configure DKIM.
  4. Move to p=quarantine – after a week with no false positives, change policy to quarantine.
  5. Finally p=reject – when you are confident everything works, set p=reject to fully protect your domain.

External Resources for DMARC Management

For report parsers, generators, and advanced monitoring, these external sites offer excellent tools:

  • woorldtv.com – free DMARC report analyzer and record generator.
  • ip-tv.com.tr – email authentication guides and DMARC deployment checklists.
  • ip-tv.id – network security resources and anti‑spoofing tutorials.

Frequently Asked Questions (FAQ)

Do I need SPF and DKIM before DMARC?

Yes. DMARC depends on SPF and DKIM. Without valid SPF or DKIM, all emails will fail DMARC, and a policy of reject would block all your legitimate email. Always set up SPF and DKIM first.

What happens if I publish p=reject without testing?

You could accidentally block legitimate emails from your own mailing system, transactional emails, or third‑party senders (Mailchimp, SendGrid). Always start with p=none and monitor reports.

How do I read DMARC aggregate reports?

Reports are XML files sent to the email address in the rua tag. Use an online DMARC report parser (like the one from woorldtv.com) to convert them into readable tables showing pass/fail sources.

Can DMARC stop all spoofing?

DMARC stops domain spoofing (emails where the From domain is yours). It does not stop look‑alike domains (e.g., yourdomain-xyz.com). For that, monitor domain registrations.

How long does it take for DMARC to work after publishing?

The record propagates according to your DNS TTL (minutes to hours). However, reports take 24‑48 hours to arrive. The enforcement policy applies immediately after propagation.

Protect Your Domain Today

DMARC is the final piece of email authentication. After setting up SPF and DKIM, adding DMARC with p=reject stops nearly all direct domain spoofing. Start with p=none, analyze reports, then increase enforcement. Use our DNS Checker to verify your record, and consider using external reporting tools to simplify the process. A proper DMARC policy not only protects your brand but also improves inbox placement – a win for everyone.

Share this article:
X (Twitter) LinkedIn
← Back to Blog