DMARC
The rulebook that turns two checks into a real defence against from-address spoofing.
- Builds on
- SPF and DKIM
- Protects
- the visible from domain
- Policies
- none, quarantine, reject
- Adds
- aggregate reporting
Forms & parts of speech
What DMARC adds
SPF and DKIM each validate part of an email, but neither directly protects the from address a reader actually sees. DMARC closes that gap by requiring SPF or DKIM to align with the visible from domain.
It also tells receiving servers what to do when mail fails: do nothing (p=none), send it to spam (quarantine), or block it outright (reject). And it returns aggregate reports so senders can see who is sending as their domain.
How senders roll it out
Deployment is staged. You start at p=none to monitor, read the aggregate reports to confirm all legitimate mail authenticates, then tighten to quarantine and finally reject once you are confident nothing real will be blocked.
Skipping straight to reject risks blocking your own forgotten sending services. Google and Yahoo's 2024 rules require bulk senders to publish a DMARC policy, making this stack non-optional for anyone sending volume.
After confirming every legitimate service passes SPF or DKIM with alignment, the company moves the policy to quarantine and then reject. Now mailbox providers drop the spoofed invoices automatically, and the brand's from address is genuinely protected rather than merely monitored.
Benchmarks
DMARC posture is a policy state, not a metric. The meaningful measure is moving from monitoring to enforcement with full legitimate-mail alignment.
Ranges are illustrative; every published figure is cited from a named public source or labelled “RGM analysis.”
Synonyms & antonyms
Synonyms
Antonyms
Usage trends
Search interest for this term over the last five years:
Common questions
- What does DMARC do?
- It aligns SPF and DKIM with the visible from domain, tells receivers whether to allow, quarantine, or reject failing mail, and provides reports on who is sending as your domain.
- What are the DMARC policies?
- p=none monitors only, p=quarantine sends failures to spam, and p=reject blocks them. Senders typically progress from none to reject as confidence grows.
- Is DMARC required?
- Google and Yahoo's 2024 bulk-sender rules require a DMARC policy for high-volume senders, alongside SPF and DKIM.
Related tools & calculators
Resources & people to follow
- referenceGoogle & Yahoo bulk-sender requirements (2024)
- referenceRFC 7489 — DMARC (dmarc.org)
Curated, non-competitor resources verified per term.
Sources
- trendsGoogle Trends — "dmarc"