DMARC

DMARC Definition

DMARC is a domain-level email security policy published in DNS. It uses SPF and DKIM results—plus alignment with the visible “From” domain—to determine whether a message is legitimate. If a message fails DMARC, your policy tells receivers what to do (monitor, send to spam, or block).

DMARC has three core functions:

1. Authenticate your mail using SPF/DKIM + alignment

2. Enforce a policy for failures (none/quarantine/reject)

3. Report on authentication results so you can fix misconfigurations and stop abuse

Why DMARC Matters

DMARC is valuable because it protects both senders and recipients:

• Stops domain spoofing that leads to phishing and fraud

• Protects brand reputation by reducing impersonation email

• Improves trust signals with inbox providers over time

• Helps you find unknown senders using your domain (legit or malicious)

• Enables BIMI readiness (BIMI typically depends on DMARC enforcement)

How DMARC Works With SPF and DKIM

DMARC doesn’t replace SPF or DKIM—it sits on top of them.

SPF (Sender Policy Framework)

SPF checks whether the sending server is authorized to send for your domain (based on DNS).

DKIM (DomainKeys Identified Mail)

DKIM cryptographically signs email so receivers can verify it wasn’t altered and that it’s tied to a domain.

The missing piece DMARC adds: Alignment

Alignment means the domain that passes SPF and/or DKIM must match (or align with) the domain in the visible From address.

An email passes DMARC if:

• SPF passes and SPF domain aligns with From, or

• DKIM passes and DKIM domain aligns with From

This is why DMARC is so effective: it ties authentication to what the user actually sees.

DMARC Policies Explained (p=none, p=quarantine, p=reject)

Your DMARC record includes a policy that tells inbox providers what to do when mail fails DMARC:

p=none (Monitor only)

• No enforcement

• You receive reports

• Best for the starting phase

p=quarantine (Enforce softly)

• Failing mail is treated as suspicious (often routed to spam/junk)

• Good transitional step before full blocking

p=reject (Enforce strongly)

• Failing mail is rejected at the receiving server

• Strongest protection against spoofing

What Is a DMARC Record?

A DMARC record is a DNS TXT record published at:

• _dmarc.yourdomain.com

At minimum, it contains:

• v=DMARC1 (version)

• p= (policy)

Most real-world records also include reporting and alignment options.

DMARC Record Examples

1) Monitoring-only DMARC record (recommended starting point)

2) Gradual enforcement (phased rollout)

• pct=25 applies enforcement to 25% of failing mail (useful for safer ramp-up)

3) Full enforcement (strong protection)

Common DMARC Tags (What They Mean)

Here are the tags you’ll see most often:

• v=DMARC1 — protocol version (required)

• p=none|quarantine|reject — policy for the main domain (required)

• rua=mailto: — where to send aggregate reports (recommended)

• ruf=mailto: — forensic/failure reports (optional; not supported everywhere and can raise privacy considerations)

• adkim=r|s — DKIM alignment (relaxed or strict)

• aspf=r|s — SPF alignment (relaxed or strict)

• sp= — policy for subdomains (optional but important if you send from subdomains)

• pct= — percent of failing mail subjected to the policy (useful for ramping)

• fo= — failure reporting options (advanced)

• ri= — reporting interval (advanced)

Practical default: most brands start with relaxed alignment (adkim=r; aspf=r) and move to strict only if they have tight control over every sending source.

How to Set Up DMARC for Adaptix (Step-by-Step)

Step 1: Confirm your “From” domain

Decide whether Adaptix sends as:

• yourdomain.com, or

• a subdomain like mail.yourdomain.com

Whatever appears in the From address is what DMARC will protect.

Step 2: Set up SPF for your sending domain

Ensure your SPF record authorizes the sending infrastructure you use (including Adaptix and any other legitimate senders).

Step 3: Enable DKIM signing

DKIM is often the most stable path to DMARC pass because it can align cleanly with your From domain.

Step 4: Publish a DMARC record in monitoring mode

Start with:

• p=none + rua=...

This gives you visibility without breaking legitimate mail.

Step 5: Review DMARC reports and fix alignment issues

Your reports will show:

• which sources send mail using your domain

• which pass/fail DMARC

• whether failures are legitimate (misconfigured tools) or malicious spoofing

Common fixes:

• add missing authorized senders to SPF

• ensure Adaptix DKIM is enabled for the From domain

• correct From domain usage (misaligned subdomains)

• stop unauthorized platforms from sending as your domain

Step 6: Ramp enforcement

Move gradually:

• p=none → p=quarantine → p=reject
  Use pct= to phase if you want extra safety during transition.

Step 7: Set subdomain policy if you use subdomains

If you send from multiple subdomains, use sp= to ensure consistent protection.

DMARC Best Practices

• Use DKIM + alignment as your primary pass path (more consistent across forwarding scenarios)

• Don’t stay at p=none forever—monitoring is visibility, not protection

• Centralize sending sources (fewer tools = fewer alignment failures)

• Avoid multiple DMARC records (only one DMARC TXT record should exist per domain)

• Treat DMARC as a lifecycle project: monitor → fix → enforce → maintain

• Pair with brand trust initiatives (like BIMI) once enforcement is stable

Common DMARC Problems (and Quick Fixes)

“My DMARC is failing but SPF and DKIM pass”

Likely an alignment issue. SPF/DKIM can pass for one domain while your From address uses another domain.

“Forwarded emails fail DMARC”

Forwarding can break SPF. DKIM often survives forwarding better—another reason to prioritize DKIM alignment.

“We use multiple platforms and reports are messy”

This is common. The fix is governance: approve sending sources, standardize From domains, and disable “send as our domain” features you don’t control.

FAQ: DMARC

What does DMARC stand for?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.

What is DMARC in simple terms?

DMARC is a DNS-based policy that tells inbox providers how to treat emails that fail authentication and alignment—so scammers can’t easily spoof your domain.

Do I need SPF and DKIM for DMARC?

Yes. DMARC uses SPF and DKIM results plus alignment with the From domain. DMARC can pass if either SPF or DKIM passes and aligns.

What’s the best DMARC policy to use?

Start with p=none to monitor, then progress to p=quarantine and ultimately p=reject once you’ve fixed legitimate sending sources.

What is DMARC alignment?

Alignment means the domain that passes SPF and/or DKIM matches (or aligns with) the domain in the visible From address.

Does DMARC improve deliverability?

DMARC primarily improves domain protection and trust. While it’s not a magic “inbox switch,” strong authentication and reduced spoofing generally support better long-term deliverability and brand safety.

How long does DMARC take to work?

Monitoring begins once the DNS record is published and receivers start generating reports. Enforcement takes effect as soon as receivers see your policy—then impact depends on how quickly you fix misaligned senders and move to quarantine/reject.

How does Adaptix help with DMARC?

Adaptix supports DMARC success by enabling proper authenticated sending (SPF/DKIM alignment) and helping you run consistent sending practices that reduce failures and strengthen sender trust over time.