What Is DMARC?

  • Updated

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy that ties SPF and DKIM together. It tells recipient servers two things: which of SPF or DKIM should pass for your domain, and what to do if a message claiming to be from you fails those checks. Since February 2024, Gmail and Yahoo require every sender to have one.

Who does this: Marketing owns the outcome and picks the policy (none / quarantine / reject). IT publishes the TXT record
Time needed: 5 to 10 minutes to read; publish takes an IT ticket plus up to 24 hours for DNS to propagate
Why this matters: DMARC is the deliverability requirement from the big mailbox providers. No DMARC record means bulk mail to Gmail and Yahoo recipients simply doesn't arrive. With DMARC in place, you also get reports showing anyone attempting to send mail using your domain - valuable for spotting phishing attempts aimed at your brand.
In plain English: SPF says "Act-On is on the guest list." DKIM says "this envelope hasn't been tampered with." DMARC is the doorman's rulebook: "if either one doesn't check out, do X."
Quick Reference (Advanced Users) - Click to Expand
  • Prerequisite: DKIM set up on your From domain, or an SPF record on your Envelope domain (same top-level domain as From).
  • Minimum record: Name _dmarc, Type TXT, Value v=DMARC1; p=none.
  • Policies: p=none (monitor), p=quarantine (send to spam), p=reject (bounce).
  • Reporting: add rua=mailto:postmaster@example.com (use a dedicated mailbox - reports are high volume).
  • Aggregators for report analysis: Inbox Monster, Agari, DMARCIAN, EasyDmarc, Red Sift.

How DMARC works

When a recipient's mail server evaluates an incoming message for DMARC, it checks for alignment: does the domain that SPF or DKIM validates match the domain in the visible "From" address? Two purposes:

  1. Confirm the sender is who they claim to be.
  2. Confirm whoever is sending in that domain's name has permission to do so.

Your DMARC policy tells the recipient server what to do if alignment fails.

Before you publish DMARC

To configure DMARC for use with Act-On you must have either:

  • DKIM set up for your From domain in Act-On, or
  • An SPF record on your Envelope domain that includes all mail servers sending on your behalf, and the Envelope domain shares the same top-level domain as the From domain.

Both are DNS requirements in Act-On and industry-wide email best practices. Get DKIM and/or SPF in place first. DMARC will keep failing until those records are set properly.

Note: As of February 2024, a DMARC policy is required to deliver email to Gmail and Yahoo/AOL addresses. Strict enforcement started in June 2024.

DMARC record instructions

Three common shapes for a DMARC record, starting simple and adding reporting.

1. Basic - the minimum requirement

Create a TXT record in DNS:

  • Name: _dmarc (or _dmarc.yourdomain.com, depending on your DNS provider)
  • Type: TXT
  • Value: v=DMARC1; p=none

This is a simplified version of what most DMARC policy records look like. It tells recipient servers that SPF or DKIM should be valid for any message using your domain in the From address, but doesn't tell them to take action if DMARC evaluation fails.

Two stricter policies you can swap in once you're confident:

  • p=quarantine - send failing messages to spam / quarantine.
  • p=reject - tell recipient servers to reject anything that fails DMARC outright.

2. With reporting

Add a reporting address inside the Value so you receive aggregated failure reports.

  • rua=mailto:postmaster@example.com

That mailbox will receive a large volume of reports. Use a dedicated address that isn't already in use by another person or service.

3. With a third-party reporting aggregator

If you're going to act on DMARC reports, don't try to read them in a mail client - use an aggregator. Act-On recommends a third-party service to receive and summarise reports. There are free and paid options with different levels of visibility and reporting frequency.

Services and tools we commonly see customers use:

Learn more

For a deeper look at DMARC and the email authentication stack as a whole, see DMARC.org.

Was this article helpful?

Have more questions? Submit a request