What Is DMARC and Why You Need It in 2026

Why DMARC Matters Now More Than Ever

Before 2024, DMARC was recommended but optional for most senders. That changed when Google and Yahoo announced that bulk senders (anyone sending more than 5,000 emails per day to their users) must have a DMARC policy published. Microsoft followed with similar requirements for Outlook. In 2026, these requirements have only gotten more strict, with ISPs giving increasingly strong preference to domains with DMARC enforcement policies.

Without DMARC, your domain is vulnerable to spoofing (anyone can send email pretending to be from yourdomain.com), and ISPs treat your legitimate emails with less trust. DMARC solves both problems by tying SPF and DKIM together with a clear policy and giving you visibility into who is using your domain to send email.

How DMARC Works

DMARC builds on SPF and DKIM. When a receiving server gets an email, it runs both SPF and DKIM checks. DMARC then adds two additional requirements:

Alignment

DMARC requires that the domain used in either the SPF check or the DKIM check matches (aligns with) the domain in the visible From address. This prevents an attacker from passing SPF with their own domain while spoofing your domain in the From header. At least one of SPF or DKIM must both pass and align for DMARC to pass.

Policy

Your DMARC record includes a policy tag (p=) that tells receiving servers what to do when DMARC fails:

• p=none - Take no action on failed messages, just send reports. This is the monitoring-only mode you should start with.
• p=quarantine - Send failed messages to the spam/junk folder. Use this after you have confirmed all legitimate email passes DMARC.
• p=reject - Reject failed messages outright. The strongest policy, used when you are confident in your setup and want maximum protection against spoofing.

Reporting

DMARC sends daily XML reports to an email address you specify, showing every IP that sent email using your domain, whether it passed or failed SPF/DKIM/DMARC, and how many messages each IP sent. These reports are invaluable for discovering unauthorized use of your domain and finding legitimate sending sources you forgot to authenticate.

How to Set Up DMARC

DMARC Record Syntax

A complete DMARC record looks like:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; pct=100; adkim=r; aspf=r

• v=DMARC1 - Required version tag.
• p= - Policy: none, quarantine, or reject.
• rua= - Email address for aggregate reports (daily XML summaries).
• ruf= - Email address for forensic reports (individual failure details, not all ISPs send these).
• pct= - Percentage of failing messages to apply the policy to. Default is 100.
• adkim= - DKIM alignment mode. r=relaxed (subdomains allowed), s=strict (exact match required).
• aspf= - SPF alignment mode. r=relaxed, s=strict.

Common DMARC Mistakes

Jumping Straight to Reject

If you go directly to p=reject without monitoring first, you may block legitimate email from services you forgot to authenticate (CRM, help desk, transactional email, etc.). Always start with p=none and review reports before tightening the policy.

Not Reading the Reports

DMARC reports are XML files that are difficult to read raw. Use a free analyzer tool (like MXToolbox, Postmark DMARC, or DMARC Analyzer) to parse them into readable dashboards. The reports tell you exactly what is passing and failing, so they are worth reviewing regularly.

Subdomain Policy Gaps

DMARC policies on your root domain do not automatically cover subdomains unless you add sp= (subdomain policy). If you send from marketing.yourdomain.com, you need either a DMARC record on that subdomain or an sp= tag on the root domain record.