DMARC is the third leg of email authentication, after SPF and DKIM. It tells receivers what to do when authentication fails. Set it up wrong and you can stop legitimate mail from your CRM, billing system, and marketing automation in one DNS change. The right way is a staged rollout that starts at observation-only and moves to enforcement only when you are confident.
The three DMARC policies
- p=none: monitor only. Failing mail still gets delivered, but receivers send you reports.
- p=quarantine: failing mail goes to spam folder.
- p=reject: failing mail is rejected outright. Strongest protection.
The staged rollout (90 days)
Days 1 to 30: p=none + reports
Publish your initial DMARC record:
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100"The rua tag is where receivers send aggregate reports. They include statistics on who sent as your domain, what authentication checks they passed, and what receivers did.
Spend the first 30 days collecting reports. You will discover senders you did not know about: a marketing tool the team set up two years ago, a billing platform's notification email, a contractor's freelance setup.
Days 30 to 60: add SPF/DKIM for legitimate senders
Now you know who is sending. For each legitimate one:
- Confirm SPF includes them.
- Confirm DKIM is set up correctly.
- If both pass, that sender's mail will continue working when DMARC moves to enforcement.
Anyone you do not authorize (spoofers, phishers using your domain) will start failing once you raise the policy.
Days 60 to 75: p=quarantine, pct=25
Move to quarantine but only for 25% of failing messages:
_dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com"Watch reports. If legitimate mail is being quarantined, fix that sender's auth before raising the percentage.
Days 75 to 90: p=quarantine, pct=100
All failing mail goes to spam. If a sender starts failing here, you will hear about it from internal users.
Day 90+: p=reject (optional)
If you want maximum protection, move to reject. Failing mail is bounced entirely.
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com"Tools that read DMARC reports
Aggregate reports arrive as compressed XML. They are unreadable by hand. Use a service:
- Postmark DMARC Digests - free, daily summary email.
- Dmarcian - free tier + paid for advanced features.
- DMARC Analyzer - paid, enterprise focus.
- EasyDMARC - friendly UI, mid-priced.
The most common DMARC mistakes
- Going straight to p=reject. Breaks legitimate senders you did not know about.
- Not collecting reports. You learn nothing without rua.
- Forgetting subdomains. A DMARC policy on
yourdomain.comdoes not automatically covernews.yourdomain.com. Use thesp=tag or publish a separate subdomain policy. - Treating SPF or DKIM as enough. DMARC's value is the policy enforcement layer on top. SPF and DKIM alone do not prevent spoofing the way DMARC does.
FAQ
How long does DMARC propagation take?
DNS changes are global within minutes to hours. DMARC reports start arriving within 24 hours.
Will DMARC affect my own outbound email?
Only if your outbound email is failing SPF/DKIM. Properly configured outbound passes both and never trips DMARC.
Is DMARC required for everyone?
Required by Gmail and Yahoo for bulk senders (over 5,000/day). Strongly recommended for everyone else.
Pair authentication with hygiene
Authentication gets you to inbox; hygiene keeps you there. Clean your list while DMARC propagates.