Email Authentication Hub/DMARC

Control how receivers handle your domain's email

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer that sits on top of SPF and DKIM. While SPF authorizes sending infrastructure and DKIM signs message content, DMARC tells receiving servers what to do when those checks fail or do not align with the visible sender.

For many organizations, DMARC starts as a monitoring tool. Publishing a record with p=none allows mailbox providers to send aggregate reports describing how email using your domain is authenticated across the internet. These reports reveal unknown senders, forwarding behavior, and configuration mistakes before you enforce stricter policies.

Run email authentication checkSPF, DKIM and DMARC analysis

Start here

Foundational DMARC pages

Complete DMARC GuideFull guide to DMARC policy, alignment, reporting, and safe enforcement.DMARC record examplesCopy-paste DMARC TXT examples for monitoring, quarantine, and reject policies.DMARC aggregate reports explainedLearn how DMARC XML reports work and how to use them during rollout.

How DMARC evaluation actually works

When a message arrives claiming to be from your domain, the receiving server first checks SPF and DKIM authentication. DMARC then verifies whether either result aligns with the visible From: domain.

If at least one aligned authentication method passes, DMARC passes. If neither SPF nor DKIM aligns, the receiver consults your DMARC policy and decides whether to monitor, quarantine, or reject the message.

Because of this alignment requirement, DMARC often exposes problems that SPF or DKIM alone would not reveal — especially with forwarding systems, mailing lists, and multi-service email infrastructures.

DMARC troubleshooting playbook

Deep dives for specific DMARC errors

No DMARC record foundPublish your first DMARC policy safely.Multiple DMARC records foundMerge conflicting records into one policy.DMARC alignment failedFix SPF/DKIM alignment issues for your domain.DMARC policy: none vs quarantine vs rejectNone vs quarantine vs reject explained.DMARC pct tag explainedGradual rollout strategy with percentage sampling.DMARC fo tag explainedControl when forensic reports are generated.DMARC sp subdomain policy explainedSet policy for subdomains separately from the root.DMARC reports not workingDiagnose RUA/RUF delivery problems.DMARC aspf and adkim explainedRelaxed vs strict alignment for SPF and DKIM.

Why DMARC depends on SPF and DKIM

DMARC does not replace SPF or DKIM. Instead, it coordinates them. SPF validates the sending infrastructure. DKIM validates the message content. DMARC evaluates both and ensures that at least one authentication method aligns with the visible domain identity.

Without SPF and DKIM configured correctly, DMARC cannot enforce policy reliably. This is why DMARC deployments usually follow a three-step path: stabilize SPF, enable DKIM across all senders, then gradually enforce DMARC policies.

Related authentication hubs

SPF Hub DKIM Hub