What Is DMARC?


DMARC, also known as Domain-based Message Authentication, Reporting and Conformance, is a form of email authentication that builds on existing authentication protocols. These authentication protocols play an important role in protecting users from spammy or malicious email content.

We’ve previously covered other email authentication protocols including DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). In this post, we’ll cover DMARC, what it does, and how it compares to other email authentication methods.

What Is DMARC?

DMARC allows a recipient to confirm that an email is truly coming from the sender and is not a piece of spam or a phishing attack. It helps prevent email spammers from sending spoofed versions of your domain’s “header from” field (the “from” the subscriber sees in the inbox).

DMARC combines the power of two other email authentication methods: SPF and DKIM. It ensures that the email receiver blocks any kind of fraudulent email messages that may be coming from a specific domain.

How Does DMARC Work?

Like other email authentication methods, senders publish a DMARC policy in their Domain Name System (DNS) server. A DNS server essentially translates a domain name (such as “”) into an IP address to find the correct site. Our friends at SendGrid have a more detailed explanation of DNS records here.

Within that DMARC policy, the sender specifies how its email is authenticated and what the receiving mail server should do if any email violates that policy.

When a message comes in to a receiving mail server, the server checks the DMARC policy for the domain in the “header from.” It then inspects the message’s DKIM signature and SPF. For DMARC to pass, the message must pass both DKIM and SPF and at least one of the two (DKIM or SPF) must align.

What does it mean to “align?” For SPF to align, the email’s return address (“envelope from”) and “from” domain must match. For DKIM to align, the email’s DKIM d=domain and “from” domain must match.

If the message does not pass DMARC, the policy will tell the receiving server what to do with the message. It may say to quarantine the message to a folder other than the inbox (like the spam folder) or reject it completely.

How Can I Check My DKIM and SPF?

Email on Acid’s Spam Testing feature offers SPF and DKIM testing. When you run a test, you will find it under the “Feedback Filters” column. The tool will tell you whether you fail or pass SPF and DKIM tests, and the result will look like this:

SPF result in Email on Acid spam testing

DKIM test result

When testing for SPF and DKIM, you’ll want to make sure you use the seed list testing method (or “use my SMTP email server” if you have your own SMTP server), so Email on Acid gets results directly from your server. You can learn more about running a spam test here.

There is a third option for spam testing within Email on Acid: sending the test through our domain. While this may be a quick way to test, it won’t give you accurate information about your SPF and DKIM because the test will be sent using our domain (, not yours.

What Does a DMARC Record Look Like?

A DMARC record is a specific TXT record in the DNS. It usually looks something like this:


Broken down, here’s what each piece of the record means:

  • V – Version of the DMARC protocol
  • Pct – Percentage of messages that are subject to filtering
  • Rua – Where to send aggregate reports
  • P – The preferred response to the DMARC policy. It could be p=reject or p=quarantine.

There are more details you can include in your record, such as addresses for forensic reports and responses for subdomains. has more info on those additional details here.

DMARC Reporting

Receiving servers generate DMARC reports that can inform email senders how their messages are performing with the authentication protocols. There are two different kinds of DMARC reports, forensic and aggregate:

  • Forensic reports include the individual messages that didn’t pass the DMARC authentication. This can help email senders find problems with the message to determine why it failed authentication.
  • Aggregate reports give stats on overall messages sent and authentication results.

Learn More About Spam Testing and Deliverability

Want to absorb more email deliverability content? We’ve got plenty!

Test Your Email First!

Make sure your email looks flawless before you send it out to your subscribers. Remember: A broken email is an unengaged email. With Email on Acid, you can preview your email in more than 70 email clients and devices before you hit “send.” Sign up for our free trial and start testing today.

Sign Up Today

Author: Melanie Graham

Born and raised in New England, Melanie has a background as a writer, editor and journalist. After roaming the U.S. as an expert vagabond, she’s landed in Denver as Email on Acid’s content manager. She’s a music nerd at heart who loves spending time at the piano.

Leave a Reply

Your email address will not be published. Required fields are marked *

Free Email Goodies