Help Center
How can we help? 👋
All Categories
Deliverability
What is DMARC?

What is DMARC?

Without DMARC, your domain is vulnerable to spoofing. If a hacker tries to send an email pretending to be you, and it fails authentication, the inbox provider might not know whether to block it or let it through. DMARC gives them clear instructions.

Notion image

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the rulebook that tells inbox providers what to do when an email fails authentication.

SPF and DKIM run the checks. DMARC enforces the decision.

Without DMARC, inbox providers are forced to guess. With DMARC, you give them clear instructions.

Why DMARC Exists

If someone tries to send an email pretending to be your domain and it fails SPF or DKIM, DMARC answers one question:

“Should I let this through, send it to spam, or block it completely?”

Without DMARC, fake emails can slip through. That damages trust, reputation, and eventually deliverability.

How DMARC Works

Every incoming email goes through this sequence:

  • SPF check Is the sending server authorized?
  • DKIM check Is the message authentic and unchanged?
  • DMARC decision If SPF or DKIM fails → apply the policy

DMARC does nothing on its own. It only acts when SPF or DKIM fails.

The Three DMARC Policies

DMARC has three enforcement levels. Each one tells inbox providers how strict to be.

1. p=none — Monitoring Mode

What it does Inbox providers deliver the email normally, even if it fails authentication.

Why it exists So you can test your setup and receive reports without blocking anything.

When to use it

  • Brand new domains
  • First few days of warm-up
  • Verifying SPF and DKIM alignment

This offers visibility, not protection.

2. p=quarantine — Spam Enforcement

What it does If an email fails authentication, it is sent to the Spam folder.

Why it exists It prevents fake emails from landing in the Primary Inbox while still allowing delivery.

When to use it

  • After SPF and DKIM are confirmed working
  • During active cold email sending

This is the most common setting for cold email domains.

3. p=reject — Full Protection

What it does If an email fails authentication, it is blocked completely.

Why it exists To eliminate spoofing and impersonation entirely.

Risk If your own configuration is wrong, you will block your own emails.

This is maximum security, not a testing mode.

How to Set Up DMARC

DMARC is added as a TXT record in your domain’s DNS.

Setup Steps

  • Go to your DNS provider (Cloudflare, Porkbun, Gandi, etc.)
  • Create a new TXT record
  • Set the Host / Name to:

_dmarc

  • Add the policy value (example below)

Recommended DMARC Policy for Cold Email

Phase 1 — First 3–5 Days

v=DMARC1; p=none;

  • Confirms SPF & DKIM are aligned
  • Collects reports
  • No enforcement

Phase 2 — After Verification

v=DMARC1; p=quarantine;

or, if you are confident:

v=DMARC1; p=reject;

Because these are secondary domains, there is no reason to stay unprotected.

Why DMARC Is Now Mandatory

Google and Yahoo have changed the rules.

If you send at scale and do not have DMARC, your emails will:

  • Bounce more often
  • Land in spam regardless of content
  • Fail long-term reputation building

DMARC is no longer optional. It is now table stakes for cold email.

Final Takeaway

  • SPF → Who is allowed to send
  • DKIM → Message integrity
  • DMARC → Enforcement and protection
Powered By HelpKit Powered by HelpKit