DMARC policy - MetricSpot docs

Q: What's the difference between `p=quarantine` and `p=reject`?

- quarantine — failing mail goes to spam. Recoverable; cautious. - reject — failing mail is bounced at the receiving server. The sender (real or fake) gets a hard bounce. Strongest protection, but if your SPF/DKIM is misconfigured for a legitimate service, your customers stop getting mail from you. Always reach p=reject after a period in quarantine with clean reports.

Q: Do I need SPF and DKIM too?

Yes. DMARC is the policy layer; SPF and DKIM are the authentication layers. SPF says "this IP can send for my domain"; DKIM signs the message cryptographically. DMARC says "if neither aligns, reject the mail." All three are required for the system to work.

What this check does

Queries DNS for the _dmarc.<yourdomain> TXT record and parses its policy. Reports the p= value (none, quarantine, reject), the percentage, the reporting addresses, and whether the policy is being enforced (anything beyond p=none).

Why it matters

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving inboxes — Gmail, Outlook, Yahoo, Apple iCloud — what to do when an email claims to come from your domain but fails SPF or DKIM checks. Without a DMARC policy, the answer is “let it through” — and your domain becomes free real estate for phishing campaigns.

Since February 2024, Google and Yahoo require DMARC for any sender that emails their users more than 5,000 times a day. Microsoft has followed with progressively stricter enforcement. Sites without DMARC see deliverability drop, customers receive phishing email branded as theirs, and brand trust erodes one fake invoice at a time.

A real-world example: a SaaS company we audited had no DMARC. Within three months, attackers spoofed billing@theirdomain.com in a phishing campaign that hit ~40k of their customers’ inboxes. The cleanup cost more than a decade of “we’ll get to DMARC later.”

How to fix it

Publish a _dmarc TXT record at your domain’s DNS provider. The progression:

1. Start in monitoring mode (p=none) — gathers data without affecting deliverability.

_dmarc.yourdomain.com.   IN   TXT   "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100"

The rua= address gets aggregate XML reports from every receiving inbox. Forward them to a tool that parses them — we recommend Postmark’s free DMARC monitoring or Valimail Monitor.

2. Audit what’s sending legitimately.

The reports tell you what IPs and services send mail “as” your domain. Expected: your transactional email provider (Resend, Postmark, SendGrid), your marketing platform, possibly Google Workspace or Microsoft 365, and your help-desk tool. Anything else is either an unauthorized sender or a forgotten integration.

For each legitimate sender, set up SPF and DKIM — DMARC requires one of them to pass and align with the From header.

3. Move to quarantine once your reports are clean (no legitimate sender failing).

_dmarc.yourdomain.com.   IN   TXT   "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25"

pct=25 only applies the policy to 25% of failing mail — gradual rollout. Watch reports, then increase to 100, then move to p=reject.

4. Final state: p=reject.

_dmarc.yourdomain.com.   IN   TXT   "v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; adkim=s; aspf=s"

adkim=s and aspf=s require strict alignment between the From header and the SPF/DKIM domain — stops attackers using subdomain tricks.

Common configurations:

Marketing email from noreply@email.yourdomain.com — set up a separate DMARC policy on the subdomain if your marketing platform can’t fully align with the apex.
Google Workspace — Google’s own DKIM key needs to be in DNS; turn on DKIM in the Admin console.
Resend / Postmark / SendGrid — each provides a DNS template to paste; DMARC works once their DKIM is set up.

Check your record:

dig +short TXT _dmarc.yourdomain.com
# v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; adkim=s; aspf=s

Or use Mail Tester’s DMARC checker for a one-click sanity check.

Pair this with HTTPS basics — HTTPS, enable HSTS — for a complete email + transport security baseline.

Frequently asked questions

What’s the difference between `p=quarantine` and `p=reject`?

quarantine — failing mail goes to spam. Recoverable; cautious.
reject — failing mail is bounced at the receiving server. The sender (real or fake) gets a hard bounce. Strongest protection, but if your SPF/DKIM is misconfigured for a legitimate service, your customers stop getting mail from you. Always reach p=reject after a period in quarantine with clean reports.

Do I need SPF and DKIM too?

Yes. DMARC is the policy layer; SPF and DKIM are the authentication layers. SPF says “this IP can send for my domain”; DKIM signs the message cryptographically. DMARC says “if neither aligns, reject the mail.” All three are required for the system to work.

My domain doesn’t send email at all. Do I still need DMARC?

Yes — a “park” DMARC policy stops attackers spoofing your unused domain:

_dmarc.yourdomain.com.   IN   TXT   "v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com"

Pair with an SPF record that allows nothing:

yourdomain.com.   IN   TXT   "v=spf1 -all"

Now no IP on earth can send mail claiming to be your domain.