DMARC stands for Domain-based Message Authentication,
Reporting, and Conformance. It serves as a method of
authentication for your brand, alongside Sender Policy Framework
(SPF) and DomainKeys Identified Mail (DKIM). What sets DMARC
apart from the other two authentication methods is its reporting
DMARC is an email authentication technology that protects a
domain from being used in phishing and spoofing attempts by
using a signing policy to define how receiving inbox providers
should handle messages that fail an authentication check. DMARC
also allows for a reporting mechanism in which inbox providers
can send reports on email that appears to be sent from a certain
domain back to the domain owner.
Inbox providers that support DMARC will attempt to validate
both DKIM and SPF, and depending on the outcome of those checks,
will look to the sending domain's DMARC policy on how to handle
emails that fail authentication.
If the inbox provider is able to successfully validate either
DKIM or SPF, the email will continue on its normal path. If the
message fails both DKIM and SPF authentication checks, however,
the inbox provider will enforce the sender’s DMARC policy, which
specifies how the email should be handled if it fails
authentication and where to send any reports.
DMARC has three levels of policy:
The preferred policy type—once vetted for correct
implementation—is 'p=none' which provides the highest level of
Litmus validates that the DMARC record in your DNS meets the
Litmus also reports the results of the record from multiple
external inbox providers to help you troubleshoot intermittent
1. Check your Email Service Provider (ESP) for their DMARC
Your ESP may have detailed instructions for adding the correct
DMARC entry as a text entry in your domain's DNS record. Given
the impact an incorrect DMARC policy can have, you should
consult with your ESP if you are unsure how to proceed.