Skip to main content
Back to Glossary

DMARC

SPF and DKIM each verify a different aspect of an email's origin, but neither tells the receiving server what to do when a check fails. DMARC fills that gap. It lets domain owners publish a policy that instructs receivers to monitor, quarantine, or reject unauthenticated messages — and it requires that the domain in the visible From: header aligns with the domain that passed those checks.

What is DMARC

DMARC is a DNS TXT record published at _dmarc.yourdomain.com. It contains a policy (p=) that tells receiving servers how to handle emails that fail SPF and DKIM alignment:

  • p=none — Take no action. Used during initial rollout to collect data without affecting delivery.
  • p=quarantine — Route failing messages to the recipient's spam or junk folder.
  • p=reject — Drop failing messages entirely. The strongest policy, and the end goal for most domains.

DMARC also introduces the concept of alignment. The domain in the From: header must match the domain that passed SPF or DKIM. Without alignment, an attacker could pass SPF using their own domain while spoofing yours in the From: field.

How DMARC works

When a mail server receives a message, it checks whether the sending domain has a DMARC record. If one exists, the server evaluates whether the message passed SPF or DKIM with proper alignment. If both checks fail alignment, the server applies the published policy.

DMARC records can also include reporting addresses:

  • rua — Receives aggregate reports summarizing authentication results across all messages from your domain. These reports are XML files sent daily by receiving providers.
  • ruf — Receives forensic (failure) reports for individual messages that failed authentication. Not all providers send these.

A typical DMARC record looks like this:

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@yourdomain.com

The pct field controls what percentage of failing messages the policy applies to, which is useful for gradual rollouts.

DMARC and Clerk

Clerk configures SPF and DKIM automatically during production instance setup, but DMARC is the domain owner's responsibility. At minimum, you need a p=none record to satisfy Gmail and Yahoo's bulk sender requirements. For actual protection against spoofing, work toward p=reject.

For setup instructions, see Setup DMARC email authentication. For guidance on DMARC during domain warm-up, see New domain reputation and email warm-up.

Related terms

Explore with AI