DMARC (Domain-based Message Authentication, Reporting and Conformance) is a standard that builds upon DKIM and SPF. It is used to tell receiving email servers how to handle emails that cannot be verified.
With DMARC you can protect your domain from spoofing (that someone pretends to be you)
Control what should happen if verification fails
Receive reports on how your domain is used in email sending
How does DMARC work?
When an email is received, the recipient's server checks:
If the email is approved via DKIM and/or SPF
If the sender domain matches (alignment)
Based on your DMARC policy (p=), the recipient decides what should be done if something does not match.
How do we enable DMARC?
DMARC is configured by adding a TXT record in DNS.
Basic format:
_dmarc.<your domain> TXT "v=DMARC1; p=none;"
Ex. if your domain is multinet.se:
_dmarc.multinet.se TXT "v=DMARC1; p=none;"
What does the p tag mean?
p= (policy) controls how the recipient should handle emails that fail verification.
The most common values are:
p=none
No action is taken. Email is delivered as usual, but you can receive reports.
(Recommended as a first step)
p=quarantine
Suspicious emails may end up in spam.
p=reject
The email is completely blocked and not delivered.
More common DMARC tags
You can extend your DMARC record with more settings:
rua=mailto:
Specifies where reports should be sent
Ex: rua=mailto:dmarc@yourdomain.se
ruf=mailto:
Forensic reports (more detailed, used less often)
pct=
How large a percentage of traffic the policy should apply to (0–100)
sp=
Policy for subdomains
Example of a complete DMARC record
_dmarc.multinet.se TXT "v=DMARC1; p=none; rua=mailto:dmarc@multinet.se; pct=100;"