DMARC (Domain-based Message Authentication, Reporting and Conformance)
An email authentication protocol that builds on SPF and DKIM to give domain owners control over what happens to unauthenticated email.
What is DMARC?
DMARC, or Domain-based Message Authentication, Reporting and Conformance, is an email authentication protocol that builds on top of SPF and DKIM. While SPF and DKIM verify the technical origin and integrity of an email, DMARC adds a policy layer that tells receiving servers what to do when those checks fail. It also introduces a reporting mechanism so domain owners can see who is sending email on their behalf and whether authentication is passing or failing.
How DMARC Works
DMARC is published as a DNS TXT record at _dmarc.yourdomain.com. The record contains a policy directive that can be set to one of three values: none, quarantine, or reject. With p=none, the domain owner is in monitoring mode and no action is taken on failing emails. With p=quarantine, failing messages are sent to the spam folder. With p=reject, failing messages are blocked entirely.
For a message to pass DMARC, it must pass either SPF or DKIM, and the domain used in that passing check must align with the domain in the visible From header. This alignment requirement is what makes DMARC effective against spoofing, because it prevents attackers from passing SPF with their own domain while impersonating yours in the From field.
Why DMARC Matters for Cold Email
DMARC is increasingly required by major email providers. Google and Yahoo both mandate DMARC records for bulk senders. For cold email operations, starting with p=none lets you collect aggregate reports and identify any legitimate sending sources that might not be authenticated yet. Once you confirm everything is aligned, moving to p=quarantine or p=reject strengthens your domain’s reputation and signals to providers that you take authentication seriously.
Reporting and Monitoring
One of DMARC’s most valuable features is its reporting capability. By including a rua tag in your DMARC record, you receive daily aggregate reports from receiving servers showing how many messages passed and failed authentication. These reports are in XML format and can be parsed by tools that visualize your authentication posture. Monitoring these reports is essential for catching misconfigurations early and ensuring every legitimate email source is properly authenticated.
Outspun & DMARC
Outspun’s managed infrastructure plans configure DMARC policies automatically for every domain, alongside SPF and DKIM. We start with monitoring mode and guide you toward enforcement, so your domains build trust with mailbox providers from the start.
Keep learning
DKIM (DomainKeys Identified Mail)
An email authentication method that uses cryptographic signatures to verify that an email was sent by the domain it claims to be from.
SPF (Sender Policy Framework)
A DNS record that specifies which mail servers are authorized to send email on behalf of your domain.
Need help with DMARC (Domain-based Message Authentication, Reporting and Conformance)?
Outspun handles it for you. Managed email infrastructure with everything configured and monitored.