Acutis logo Acutis Go network & machine diagnostics

What Is DMARC?

Acutis · plain-English network help · updated June 2026

What is DMARC, in plain English?

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. In one sentence: it ties SPF and DKIM together and tells receiving servers what to do when a message claiming to be from your domain fails those checks. SPF and DKIM each do a job, but neither one tells anyone how to react to a failure. DMARC is the rulebook that closes that gap — and it sends you reports so you can see who is sending mail in your name.

Think of SPF and DKIM as two security guards checking ID, and DMARC as the policy manual that says, "if the ID doesn't check out, here is exactly what you do, and tell head office about it." That combination is what finally makes it hard for anyone to convincingly forge your domain.

The _dmarc TXT record

DMARC lives in a single DNS TXT record at a fixed address: _dmarc. followed by your domain. So for example.com the receiver looks up _dmarc.example.com. A starter record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Reading it across: v=DMARC1 marks the version, p=none sets the policy (more on that next), and rua= gives an address where aggregate reports should be sent. That one line is enough to start monitoring your domain immediately, without any risk to your existing mail.

The three policies: none, quarantine, reject

The p= value is the heart of DMARC. It tells receivers how to treat mail that fails authentication, and it has three settings that form a natural ladder:

  • p=none (monitor). "Don't change how you handle failing mail — just send me reports." This does nothing to filtering. It is purely a listening mode that lets you see what is being sent under your domain before you enforce anything.
  • p=quarantine (treat as suspicious). "If a message fails, put it in the spam folder." A middle step that protects recipients while still delivering failing mail somewhere visible, in case you missed a legitimate sender.
  • p=reject (block outright). "If a message fails, refuse it entirely — don't deliver it at all." The strongest stance. Forged mail in your name is bounced before anyone ever sees it.

The strongly recommended path is to start at p=none, watch the reports for a few weeks until you are confident every legitimate sender passes, then tighten to p=quarantine and finally p=reject. Jumping straight to reject before you have checked the reports risks blocking your own mail.

Alignment: the detail that makes it work

DMARC adds one extra requirement on top of SPF and DKIM, called alignment. It is not enough for SPF or DKIM to simply pass — the domain they pass for must match the domain in the visible "From" address that the user actually reads.

This matters because spoofers used to pass SPF for some unrelated domain while still showing your name in the From line. Alignment shuts that down: DMARC passes only when an aligned SPF or an aligned DKIM check succeeds. You only need one of the two to align, which is why having both SPF and DKIM in place gives you the best chance of a clean pass — even when forwarding breaks one of them.

Try it free: check your DMARC policy

See your domain's DMARC record alongside its MX, SPF and DKIM, and find out whether you are monitoring, quarantining, or fully protected against spoofing. Free, no account needed.

Check your DMARC record now →

rua reports: seeing who sends as you

The rua tag is one of DMARC's most useful features. It is an address where receivers send daily aggregate reports — summaries of every server that sent mail claiming to be from your domain, and whether each passed or failed SPF and DKIM. These reports arrive as XML and are dense to read raw, but they answer the crucial questions:

  • Which legitimate services do I send from? So you can be sure they are all authorized before you tighten your policy.
  • Is anyone forging my domain? Unexpected servers failing authentication are a clear signal of spoofing attempts.
  • Am I safe to move to reject? Once every source in the reports passes cleanly, you can enforce with confidence.

Plenty of free and paid tools turn those XML reports into readable dashboards, which makes the monitor phase far less painful.

How DMARC completes the picture

SPF lists your allowed senders, DKIM seals each message, and DMARC ties the two together, enforces a policy, and reports back to you. None of the three is complete on its own, but together they are the modern standard major providers expect. If your mail keeps landing in spam, a missing or p=none DMARC record on top of weak SPF and DKIM is a frequent culprit — and fixing all three together is what gets you reliably into the inbox.

Stop guessing — is it the network or your machine?

When services won't connect or mail won't flow, Acutis Go runs a 60-second check and tells you plainly whether the fault is your network, your DNS, or your own device. Free, no account to try.

Get Acutis Go — free

Related guides