Updated On
November 30, 2020

DMARC Demystified: A Basic Guide to improving Email Deliverability

E-mail is an essential form of communication in our digital world. Along with SMS, e-mail is one of the most widely used communication mediums, carrying everything from personal messages to crucial business documents.

When e-mail was first invented in 1971, messages were sent completely unencrypted and unsecured across hosts on the ARPANET. As e-mail usage increased, the vulnerabilities became more apparent. Opportunities for spam, scams, and other fraud became more widespread as the network grew.

DMARC is a domain-level standard that handles messages which are considered suspicious. This article will explain the basics of DMARC and how to use it to manage traffic on your e-mail server domain.

DMARC Definition and Use

Domain-based Message Authentication Reporting and Conformance (or DMARC) is a domain policy standard that assists in message verification and routing.

DMARC is not a replacement for Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM). Instead, DMARC works with SPF and DKIM to provide further checks and a policy on handling messages that pass or fail verification.

A DMARC policy informs receiving e-mail servers on how to treat messages that do not pass SPF or DKIM verification. Therefore, DMARC is the final arbiter of whether a message is delivered, held for further analysis, or rejected.

How DMARC Operates

The primary key that DMARC checks is the sender domain in the From: e-mail header. Note that DMARC does not use other e-mail headers even if they are available. Using more headers would increase the likelihood of detection errors.

While it is relatively simple to spoof the From: header, this is where SPF and DKIM also factor in as "Authenticated Identifiers."

DMARC will examine the From: header of a message against the results of SPF and DKIM. If DMARC can verify the message's source, the final rating is "pass," and the message will be delivered. If DMARC, SPF, and DKIM cannot validate the source domain, the rating is "fail," and actions are taken based on your set policies. 

So now, let's look at setting up DMARC for your mail server.

An Example DMARC DNS Record

The first step in configuring DMARC is to add the appropriate record into your DNS. The DMARC entry will include information regarding your specific policies and settings for how DMARC will handle incoming mail.

A basic DMARC DNS entry will look like this:

Host: _dmarc.yourdomain.com

TTL: 1800


VALUE: v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com

In the example above, replace yourdomain.com with the real domain name on which you are configuring DMARC.

The main area of interest here is the value data since this is where you define your DMARC policies. When you are first setting up DMARC, we recommend beginning with p=none, indicating no quarantine or reject policy for messages. The setting of p=none tells DMARC to generate reports without taking any specific action, allowing you to analyze results safely. 

Once your DMARC configuration is satisfactory, you can update to p=quarantine or p=reject, which will hold failing messages or reject them immediately.

The rua value specifies an address which will receive reports of rejections. Active and consistent DMARC monitoring is essential, especially at the start, to verify your policies' effectiveness.

There are many additional options that you can set, such as changing the percentage of messages affected by your policy using pct=50, for example. Percent can be useful if you want to deploy policy changes to your server slowly.

Checking Your DMARC Configuration

Once you have configured your DMARC policy, it's a good idea to test that it functions the way you expect. While you can roll the changes out incrementally using the pct value outlined above, this still could negatively impact your users.

Before actively deploying your DMARC policy to users on your server, we recommend checking your policies using a DMARC analyzer.

If everything looks correct in the DMARC checker, the next step is to monitor the reporting address you specified in your DNS entry.

Depending on your mail server's size and the mail volume that you process, you may have many reports in your inbox, and they will typically contain large amounts of data.

The reports will be in XML format, and while human-readable, it can be challenging to parse by hand. We recommend using an automatic XML reformatter to convert the data into a more eye-friendly and readable format.

Either way, by examining the reports, you can see which messages are being successfully delivered or rejected and why particular messages are failing.


DMARC is a useful tool in the battle against spam, spoofing, and other communication fraud. As more and more of our lives become connected, maintaining security in our everyday communication is crucial. DMARC is an indispensable aspect of overall e-mail security.