Skip to content Domain-based Message Authentication, Reporting & Conformance
At its core, DMARC builds on SPF and DKIM to give domain owners (like you) a say in how emails from your domain should be handled. With DMARC, you publish a policy in DNS that says, ‘If an email fails SPF/DKIM checks, do X.’ X can be
1 – Do nothing and just report it (p=none) – essentially watching and collecting data (useful as a first step).
2 – Quarantine it (p=quarantine) – typically means send it to spam/junk.
3 – Reject it outright (p=reject) – tell the receiving server to chuck that email in the bin before it ever reaches a user.
By aligning the domain in the emails’ ‘From’ header with the authenticated domain (SPF/DKIM), DMARC closes loopholes. If spoofers try to fake the ‘From’ address DMARC will catch it and apply your chosen policy. DMARC says ‘Only trust emails from my domain if SPF and DKIM say it’s really me; if not, here’s what to do.’
When you set p=none (monitor mode), you’re asking for DMARC reports. These are XML reports ISPs send you (usually daily) telling you which emails claiming to be from your domain passed or failed SPF/DKIM, and often why. It’s a treasure trove of info: you’ll see who is sending email as you (could be your legit services or a hacker in Timbuktu), and whether those messages authenticated properly. This reporting is important for larger organizations to understand their email ecosystem and spot abuse.
Once you’re comfortable that legitimate mail is authenticating and you’re not seeing unexpected sources, you can tighten the screws – move to p=quarantine and eventually p=reject. Gmail and Microsoft have been nudging senders in this direction; by 2024 Gmail essentially expected domain owners to have at least a monitoring DMARC in place. And if you’re sending high volumes, having a strict DMARC policy is now a best practice (and sometimes even a requirement by partners/clients).
DMARC’s main purpose is security (stopping phishing and spoofing), but it indirectly helps your deliverability too. How? Trust. Mail systems have more confidence in emails from a domain with DMARC, because it’s far less likely to be spam or forged.
Another email deliverability boost: if you set p=quarantine or p=reject, ISPs know that any unauthenticated mail from you should be binned. That means when they see a legitimate email that does pass SPF/DKIM, they’re more inclined to deliver it confidently. You’ve essentially drawn clear lines for what’s legit from your brand.
Roll out enforcement gradually. Start with p=none to gather data (so you don’t accidentally block your own legit emails due to misconfiguration). Then move to p=quarantine – perhaps start at a small percentage (DMARC policies let you specify a percentage of emails to apply to) and ramp up to 100%. Finally, once you’re sure everything authenticates properly, go full p=reject. This phased approach ensures you don’t break things. Microsoft even recommends this slow progression to avoid ‘unintended mail loss’.
Get in touch
24/7/365 support comes as standard. We know…this is not normal!
support@pitchkraft.ai
Available on Standard & Premium plans
