A+EmailGrade
Pricing
← Back to home

DMARC policy guide

DMARC tells receivers what to do when SPF and/or DKIM do not align with your From domain, and enables aggregate and forensic reporting.

A DMARC record is a TXT record at _dmarc.yourdomain. It includes a policy (p=), optional subdomain policy (sp=), alignment settings, and report addresses (rua for aggregate, ruf for forensic where supported).

Policy modes

  • p=none — Monitor only. Messages still deliver; you collect reports to see who sends as your domain. Best starting point.
  • p=quarantine — Failing mail may be spam-foldered. Use after SPF and DKIM are correct for legitimate streams.
  • p=reject — Failing mail should be rejected. Strongest protection once you have verified reports and fixed gaps.

Alignment

DMARC passes if SPF or DKIM aligns with the From domain (depending on strict vs relaxed settings inaspf / adkim). Alignment is stricter than “SPF pass” alone: the domain in the envelope or DKIM signature must match the organizational domain in the From header per your policy.

Reports

Aggregate reports (XML sent to rua) show volume and results by source. They are essential before tightening policy. Forensic reports (ruf) are less widely supported and may contain privacy-sensitive samples; use carefully.

Percentage rollout

pct lets you apply quarantine or reject to only a fraction of failing mail while you validate. Increase gradually as confidence grows.

Run a deliverability check to see your current DMARC record and how it lines up with SPF and DKIM.