What is DMARC and how does it protect your domain?

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It is a DNS policy record that tells receiving mail servers what to do when an email fails SPF or DKIM authentication — the two foundational email authentication standards.

Where SPF tells servers which IPs are allowed to send, and DKIM adds a cryptographic signature to emails, DMARC ties them together and gives the domain owner control over the outcome when either check fails.

The three DMARC policies

DMARC has three policy levels:

p=none — Monitor only. Emails that fail authentication are delivered as normal. You receive reports about failures but no action is taken. This is the right starting point for any domain that has never had DMARC before.

p=quarantine — Failed emails are sent to the spam or junk folder. This is the middle ground — failures are contained without the risk of losing legitimate email.

p=reject — Failed emails are blocked entirely at the server level and never reach the recipient. This is the strongest protection and the goal of a mature DMARC setup.

How to read a DMARC record

A DMARC record is a DNS TXT record added at _dmarc.yourdomain.com. A typical record looks like:

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com

Breaking this down:

• v=DMARC1 — declares this as a DMARC record
• p=quarantine — the policy to apply to failing emails
• pct=50 — apply the policy to 50% of messages (useful for gradual rollout)
• rua — the email address where aggregate reports are sent

Rolling out DMARC safely

Rushing to p=reject before you understand your email flow is the most common DMARC mistake. Legitimate email from a provider not covered by your SPF record will be rejected, causing real delivery failures.

The recommended approach is to start at p=none with rua set to an email you monitor. Review the aggregate reports for two to four weeks to identify all sources sending email from your domain — marketing platforms, CRM tools, helpdesk software, and so on. Add each legitimate source to your SPF record. Then move to p=quarantine at pct=10, increasing gradually. Finally move to p=reject at pct=100.

Why DMARC matters for deliverability

Gmail and Yahoo now require DMARC for bulk senders. Without a DMARC record, your emails are more likely to be filtered as spam. With p=reject, you also prevent phishing emails that spoof your domain from ever reaching your customers.

How BounceProtect uses DMARC

BounceProtect checks DMARC configuration as part of domain-level analysis. A domain without DMARC, or with a p=none policy that has been sitting there for years, is flagged as having weaker email infrastructure — this is reflected in the deliverability and spam risk scores.