Skip to product menu
close
EXPLORE ALL PRODUCTS

Sales

 
CRM

Comprehensive CRM platform for customer-facing teams.

CRM
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
Sign

Digital signature app for businesses.

Sign
 
Forms

Build online forms for every business need.

Forms
 
Bigin

Simple CRM for small businesses moving from spreadsheets.

Bigin
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
RouteIQ

Comprehensive sales map visualization and optimal route planning solution.

RouteIQ
 
Thrive

Complete loyalty and affiliate management platform.

Thrive
 
Suites
CRM Plus

Unified platform to deliver top-notch customer experience.

CRM Plus

Marketing

 
Campaigns

Create, send, and track targeted email campaigns that drive sales.

Campaigns
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
Sign

Digital signature app for businesses.

Sign
 
Forms

Build online forms for every business need.

Forms
 
Social

All-in-one social media management software.

Social
 
Survey

Design surveys to reach and interact with your audience.

Survey
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Sites

Online website builder with extensive customisation options.

Sites
 
Backstage

End-to-end event management software.

Backstage
 
PageSense

Website conversion optimization and personalisation platform.

PageSense
 
Marketing Automation

All-in-one marketing automation software.

Marketing Automation
 
LandingPage

Smart landing page builder to increase conversion rates

LandingPage
 
Webinar

Webinar platform for webcasting online webinars.

Webinar
 
NEW
LeadChain

Sync, manage, and convert leads across channels seamlessly.

LeadChain
 
NEW
CommunitySpaces

Online community platform for individuals and businesses to grow their network and brand.

CommunitySpaces
 
Thrive

Complete loyalty and affiliate management platform.

Thrive
 
Publish

Manage all your local business listings on a single platform.

Publish
 
Suites
Marketing Plus

Unified marketing platform for marketing teams.

Marketing Plus

Commerce and POS

 
Commerce

eCommerce platform to manage and market your online store.

Commerce

Service

 
Desk

Helpdesk software to deliver great customer support.

Desk
 
Assist

Remote support and unattended remote access software.

Assist
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
FSM

End-to-end field service management platform for service businesses.

FSM
 
Lens

Interactive remote assistance software with augmented reality.

Lens
 
Solo

The all-in-one toolkit for solopreneurs.

Solo
 
Suites
Service Plus

Unified platform for customer service and support teams.

Service Plus

Finance

 
Books

Powerful accounting platform for growing businesses.

Books
 
Expense

Effortless expense reporting platform.

Expense
 
Sign

Digital signature app for businesses.

Sign
 
Inventory

Powerful stock management and inventory control software.

Inventory
 
FREE
Invoice

100% Free invoicing solution.

Invoice
 
Billing

End-to-end billing solution for your business.

Billing
 
NEW
Payroll

Payroll software with automated tax payments and filing.

Payroll
 
Commerce

eCommerce platform to manage and market your online store.

Commerce
 
Checkout

Collect payments online with custom branded pages.

Checkout
 
Practice

Practice management software for accounting firms.

Practice
 
Solo

The all-in-one toolkit for solopreneurs.

Solo
 
NEW
Payments

Unified payment solution built for all businesses.

Payments
 
Suites
Finance Plus

All-in-one suite to manage your operations and finances.

Finance Plus

Email, Storage, and Collaboration

 
Mail

Secure email service for teams of all sizes.

Mail
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
Sign

Digital signature app for businesses.

Sign
 
WorkDrive

Online file management for teams.

WorkDrive
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
Cliq

Stay in touch with teams no matter where you are.

Cliq
 
Notebook

Beautiful home for all your notes.

Notebook
 
Meeting

Online meeting software for all your video conferencing & webinar needs.

Meeting
 
Connect

Employee experience platform to communicate, engage, and build positive employee relations.

Connect
 
Learn

Knowledge and learning management platform.

Learn
 
Office Integrator

Built in document editors for web apps.

Office Integrator
 
Writer

Word processor for focused writing and discussions.

Writer
 
TeamInbox

Shared inboxes for teams.

TeamInbox
 
ZeptoMail

Secure and reliable transactional email sending service.

ZeptoMail
 
Show

Create, edit, and share slides with a sleek presentation app.

Show
 
Tables

Work management tool to connect people, processes, and information.

Tables
 
Sheet

Spreadsheet software for collaborative teams.

Sheet
 
Office Suite

Powerful collaborative work platform for teams.

Office Suite
 
Calendar

Online business calendar to manage events and schedule appointments.

Calendar
 
ToDo

Collaborative task management for individuals and teams.

ToDo
 
FREE
PDF Editor

Collaborative online PDF editing tool.

PDF Editor
 
Suites
Workplace

Application suite built to improve team productivity and collaboration.

Workplace

Human Resources

 
Expense

Effortless expense reporting platform.

Expense
 
Recruit

Intuitive recruiting platform built to provide hiring solutions.

Recruit
 
People

Organize, automate, and simplify your HR processes.

People
 
Sign

Digital signature app for businesses.

Sign
 
NEW
Payroll

Payroll software with automated tax payments and filing.

Payroll
 
Shifts

Employee scheduling and time tracking app.

Shifts
 
Workerly

Manage temporary staffing with an employee scheduling solution.

Workerly
 
Suites
People Plus

Comprehensive HR platform for seamless employee experiences.

People Plus

Security and IT Management

 
Creator

Build custom apps to simplify business processes.

Creator
 
Assist

Remote support and unattended remote access software.

Assist
 
Vault

Online password manager for teams.

Vault
 
Directory

Workforce identity and access management solution for cloud businesses.

Directory
 
Lens

Interactive remote assistance software with augmented reality.

Lens
 
QEngine

Test automation software to build, manage, execute, and report testcases.

QEngine
 
Catalyst

Pro-code platform to build and deploy your apps.

Catalyst
 
RPA

Automate manual, tedious, and repetitive tasks easily.

RPA
 
FREE
OneAuth

Secure multi-factor authenticator (MFA) for all your online accounts.

OneAuth
 
Toolkit

Complete resource for any admin-related lookup queries.

Toolkit
 
NEW
eProtect

Comprehensive email security and archiving for every business.

eProtect

BI and Analytics

 
Analytics

Modern self-service BI and analytics platform.

Analytics
 
DataPrep

AI-powered data preparation service for your data-driven organization.

DataPrep
 
NEW
IoT

Harnessing IoT analytics for real-time operational intelligence.

IoT
 
Embedded BI

Embedded analytics and white label BI solutions, tailored for your needs.

Embedded BI

Project Management

 
Projects

Manage, track, and collaborate on projects with teams.

Projects
 
Sprints

Planning and tracking tool for scrum teams.

Sprints
 
BugTracker

Automatic bug tracking software for managing bugs.

BugTracker
 
Solo

The all-in-one toolkit for solopreneurs.

Solo
 
Suites
Projects Plus

Unified project management platform for intelligent, data-driven work.

Projects Plus

Developer Platforms

 
Creator

Build custom apps to simplify business processes.

Creator
 
Flow

Automate business workflows by creating smart integrations.

Flow
 
Office Integrator

Built in document editors for web apps.

Office Integrator
 
DataPrep

AI-powered data preparation service for your data-driven organization.

DataPrep
 
ZeptoMail

Secure and reliable transactional email sending service.

ZeptoMail
 
Tables

Work management tool to connect people, processes, and information.

Tables
 
QEngine

Test automation software to build, manage, execute, and report testcases.

QEngine
 
Catalyst

Pro-code platform to build and deploy your apps.

Catalyst
 
RPA

Automate manual, tedious, and repetitive tasks easily.

RPA
 
NEW
IoT

Build, deploy, and scale IoT solutions for connected businesses.

IoT
 
Apptics

Application analytics for all apps.

Apptics
 
Embedded BI

Embedded analytics and white label BI solutions, tailored for your needs.

Embedded BI

IoT

 
NEW
IoT

Low-code IoT platform and solutions for connected businesses.

IoT
 
CRM Plus

Unified platform to deliver top-notch customer experience.

Try now
CRM Plus
 
Service Plus

Unified platform for customer service and support teams.

Try now
Service Plus
 
Finance Plus

All-in-one suite to manage your operations and finances.

Try now
Finance Plus
 
People Plus

Comprehensive HR platform for seamless employee experiences.

Try now
People Plus
 
Workplace

Application suite built to improve team productivity and collaboration.

Try now
Workplace
 
Marketing Plus

Unified marketing platform for marketing teams.

Try now
Marketing Plus
 
Projects Plus

Unified project management platform for intelligent, data-driven work.

Try now
Projects Plus
 
All-in-one suite

Zoho One

The Operating System for Business

Run your entire business on Zoho with our unified cloud software, designed to help you break down silos between departments and increase organizational efficiency.

TRY ZOHO ONE
Zoho One
Zoho Marketplace

With over 2000 ready-to-use extensions across 40+ categories, connect your favorite business tools with the Zoho products you already use.

EXPLORE MARKETPLACE
Marketplace
Skip to main content

What is a DMARC record?

  • Published : March 25, 2024
  • Last Updated : June 19, 2025
  • 767 Views
  • 7 Min Read

Email authentication mechanisms like SPF and DKIM, are in place to protect the emails you send. They ensure both the sender’s identity and the email's contents are guarded. But the job doesn't end with just implementing them.

The next step in truly protecting your emails is to define what happens if the authentication fails. For that, senders should have a reliable way to receive feedback on how the authentication policies are performing.

Imagine trying to manually co-ordinate this between the sender and the receiver. This would be messy and impractical in some cases. This is where DMARC comes in.

 

What is DMARC?

Domain-based Message Authentication Reporting and Conformance (DMARC) is a protocol that builds on top of SPF and DKIM. It does two main things:

  1. Tells the receiver what actions to take if the email fails the SPF and DKIM checks.
  2. Provides feedback about the authentication performance and any issues that need fixing. 
     

DMARC is designed to protect against phishing and spoofing attack. It does this by ensuring that the FROM address matches the domain that has been SPF and DKIM- authenticated.This process is called domain alignment.

If the alignment fails, the receiving server will follow the instructions specified in the DMARC policy.

How does DMARC work?

To understand DMARC, you need to be familiar with three core concepts. They are:

  • SPF
  • DKIM
  • Identifier alignment

SPF

SPF lists all of the allowed IPs, domains, and servers eligible to send emails on your behalf. It is similar to a guest list at an event. As a domain owner, you should publish the SPF record in your DNS.

When you send an email, the receiving server checks the return-path domain(obtained from the email's header) and verifies it with the published SPF record. If the domain values match, it is an SPF pass. If they don’t, it's a fail.

DKIM

While SPF authenticates the sender, DKIM ensures that the email's content hasn't been tampered with. It does this with the help of a digital signature. Here's how it works:

  • The sender converts the email's contents into a hash value(DKIM signature). The signature is then encrypted using the sender's private key. This encrypted value is sent along with the email.
  • The sender then publishes a public key in their domain's DNS .
  • The receiving server obtains the public key from the domain mentioned in the "d=" tag of DKIM. Recreates the hash values using the data available in the DKIM signature, and encrypts it.
  • Next, it decrypts the hash value sent along with the message.
  • The receiver's encrypted value and the decrypted sender's value are compared. If they match, it’s a DKIM pass.

Identifier alignment

SPF and DKIM authenticate different parts of an email.

  • SPF checks the return-path domain.
  • DKIM verifies if the email content is intact. This is done by obtaining the public key from the domain mentioned in the signature.


The domains that SPF and DKIM validate are called authenticated identifiers. DMARC verifies if the authenticated identifier matches with the return path or the MAIL FROM domain. The match is determined based on two modes:

  • Strict - Domains must match exactly.
  • Relaxed - A Sub-domain match is also acceptable.

The identifier alignment is verified for both SPF and DKIM.

SPF identifier alignment

SPF alignment checks if the return-path domain matches with the domain in the FROM address.

DKIM alignment

DKIM alignment verifies if the domain in the "d=" tag and the MAIL FROM domain match.

SPF, DKIM and identifier alignment determine the DMARC policy's execution.

What does a DMARC record look like?

The DMARC policy is published as a TXT record in the DNS under the subdomain "_dmarc". For example, "_dmarc.example.com".

Here is an example DMARC record:

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@domain.com;

Let's break down the record:

V=DMARC1 

This tag mentions the version of the record. This is a mandatory tag.

P=reject

The mandatory p tag mentions the policy for emails that fail authentication. There are three values that the p tag takes:

None: The email is accepted, but no action will be taken by the receiving server.

Quarantine: The email will be marked as suspicious. The email will still be accepted into the receiving server. But it will either be sent to the spam folder or a quarantine mailbox for the admin's perusal.

Reject: The email is rejected.

Pct=100 (optional)

Pct refers to the percentage of emails to be affected by the DMARC policy and can take a value between 0-100. This is done to ensure a gradual rollout of the DMARC policy. In the example given, pct is set to 100, which means that the DMARC policy is applied to all the emails.

Rua=mailto: dmarc-reports@domain.com\;

The ruais the address where the DMARC aggregate reports should be sent. These reports contain the authentication status of the domains. These are not real-time results and are sent daily. This tag is optional but is advised to have one to determine how well the authentication is implemented.

  

Email authentication flow in DMARC

Once the SPF, DKIM, and DMARC values are published by the sender, the check occurs in the following manner:

  • The sender drafts an email and sends it.
  • The DKIM module signs the email.
  • The Mail Transfer Agent (MTA) delivers it to the recipient server.
  • The receiving server validates SPF by checking the return-path and DKIM by checking the signature.
  • The DMARC module checks the alignment of the identifiers and applies the policy.
  • Depending on the policy, the email will either be accepted, quarantined, or rejected.
  • The recipient server sends the report to the sender.

How to implement DMARC

Follow the steps to implement the policy.

  • Setup SPF and DKIM for your domain.
  • Choose an email address to receive the DMARC feedback reports. This will help identify the issues with your authentication methods and resolve them.
  • Generate the DMARC record.
  • Publish the record to your DNS.
     

Setup SPF and DKIM

SPF and DKIM alignment is necessary to implement DMARC. DMARC fails if SPF or DKIM fail, so it’s important to configure both.

For SPF: Check if the FROM address and return-path domains match.

For DKIM: Verify if the FROM address and the "d=" tag domains match

Choose an email address to receive emails

Choose a dedicated mailbox just for your reports. DMARC reports come in XML format and are sent daily. Online tools like Dmarcian can make the record more readable.

Generate DMARC

Use online tools like these to generate your DMARC record. 

Publish the record to DNS

To publish the DMARC record, add the following values in your DNS provider's settings: 

  • Type:  TXT
  • Name: _dmarc.yourdomain.com
  • Value: generated dmarc value. Ex:  v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@domain.com;
     

DMARC rollout

As you start implementing DMARC, you can ease into it by rolling it out in phases. This gives you visibility on which servers are sending emails, whether they pass SPF checks, and where issues are creeping in. By gradually applying DMARC policy to your emails, you can adapt your emails to it without compromising on their deliverability.

DMARC rollout can be carried out using the p and pct tags .

  1. Start with p=none
    You will get feedback about your emails without rejecting them. This helps you monitor your emails without causing delivery issues.
    Ex. v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com\
  2. Next, set p=quarantine with lower percentage, like pct=5.
    Emails that fail DMARC will be quarantined.
    v=DMARC1\; p=quarantine\; pct=5\; rua=mailto:dmarc-reports@domain.com\; Small organizations can choose to quarantine a larger portion of their emails. Large organizations can opt for a smaller number because they have multiple email channels.
  3. Gradually increase the pct value.
  4. Finally, once you confirm that all the emails are authenticated, you can enforce a stricter policy. You can set p=reject for 100% of your emails.

 

Note: If you’re focused on improving your brand identity and adopting BIMI, you must adopt p=reject.

  

Additional DMARC tags

Here is a list of additional tags you can use in your DMARC record.

TagDescription
adkim

(Optional)

Specifies the DKIM identifier alignment mode. It can take either of two values:

r for relaxed

s for strict

Default: r

aspf

(Optional)

Specifies the SPF identifier alignment mode. It can take either of two values:

r for relaxed

s for strict

Default: r

rufSpecifies the address to receive the failure/forensic reports. Failure reports are sent immediately after an email authentication failure occurs.
f

Specifies the failure or forensic report options. This can be ignored if ruf is not mentioned. It can take four values:

 

0: If both SPF and DKIM fail to produce an alignment pass.

1:If either SPF or DKIM produces a result other than aligned pass.

d: Generate a DKIM failure report if the email's DKIM signature fails validation, irrespective of its alignment.

s: Generate an SPF failure report if the email fails SPF evaluation, irrespective of the alignment.

sp

(optional)

 

Specifies the policy for all sub-domains. It takes the same value as the p tag. If sp is not mentioned, the value of p will be considered for the sub-domains.

rf

(optional)

Specifies the format to be used while generating reports for SPF and DKIM fails.

The values mentioned in the format should match the ones defined here.

Default: afrf

ri

(optional)

Specifies the time interval (in seconds) between aggregate reports that are sent daily.

Default: 86400

DMARC and deliverability

DMARC not only protects your domains, but also improves your reputation. By preventing bad actors from phishing or spoofing your domain, you can reduce your chances of being flagged as a spammer. This improves your deliverability, ensuring more of your emails go to the inbox.

Moreover, DMARC's aggregate reports highlight the issues with your authentication giving you a chance to fix them.

Wrapping up

Email authentication has become a necessity to protect your emails against the constant spoofing and phishing threats. With SPF, DKIM and DMARC, you can navigate the seas of email delivery with ease. Start small, test, and adapt your authentication methods. The flexibility of DMARC's "none" policy means you don't have to risk deliverability. So, DMARC not only protects your emails, it protects your brand.

Leave a Reply

Your email address will not be published. Required fields are marked

By submitting this form, you agree to the processing of personal data according to our Privacy Policy.

You may also like