About DMARC

Prevent spoofing and phishing with DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a standard email authentication method. DMARC helps mail administrators prevent hackers and other attackers from spoofing their organization and domain. Spoofing is a type of attack in which the From address of an email message is forged. A spoofed message appears to be from the impersonated organization or domain.

DMARC also lets you request reports from email servers that get messages from your organization or domain. These reports have information to help you identify possible authentication issues and malicious activity for messages sent from your domain.

Spoofing and phishing

Spammers can spoof your domain or organization to send fake messages that impersonate your organization. 

Spoofed messages are often used for malicious purposes, for example to communicate false information or to send harmful software. Spoofed messages are also used for phishing, a scam that tricks people into entering sensitive information like usernames, passwords, or credit card data. Spoofing can have a lasting effect on your organization’s reputation, and impacts the trust of your users and customers.

Sometimes spammers forge messages so that they appear to come from well-known or legitimate organizations. If spammers use your organization’s name to send fake messages, people who get these messages might report them as spam. If many people report these message as spam, legitimate messages from your organization might also be marked as spam.

How DMARC prevents spoofing

DMARC tells receiving mail servers what to do when they get a message that appears to be from your organization, but doesn't pass authentication checks, or doesn’t meet the authentication requirements in your DMARC policy record. Messages that aren't authenticated might be impersonating your organization, or might be sent from unauthorized servers.

DMARC is always used with these two email authentication methods or checks:

  • Sender Policy Framework (SPF) lets the domain owner authorize IP addresses that are allowed to send email for the domain. Receiving servers can verify that messages appearing to come from a specific domain are sent from servers allowed by the domain owner.
  • Domain Keys Identified Mail (DKIM) adds a digital signature to every sent message. Receiving servers use the signature to verify messages are authentic, and weren't forged or changed during transit.

Authenticates messages (DMARC alignment)

DMARC passes or fails a message based on whether the message’s From: header matches the sending domain, when SPF or DKIM checks the message. This is called alignment. So, before you set up DMARC for your domain, you should turn on SPF and DKIM.

Learn about DMARC alignment.

Manages messages that fail authentication (receiver policy)

If a mail server gets a message from your domain that fails the SPF or DKIM check (or both), DMARC tells the server what to do with the message. There are three possible options, defined by your DMARC policy:

  • Policy is set to none--Take no action on messages, and deliver them normally.
  • Policy is set to quarantine--Mark messages as spam, and send them to recipients' spam folder, or to quarantine.
  • Policy is set to reject--Reject the messages, and don’t deliver them to recipients.

Learn about DMARC enforcement options.

Sends you reports so you can monitor and change your policy

Set up your DMARC record to get regular reports from receiving servers that get email from your domain. DMARC reports contain information about all the sources that send email for your domain, including your own mail servers and any third-party servers.

DMARC reports help you:

  • Learn about all the sources that send email for your organization.
  • Identify unauthorized sources that send email appearing to come from your organization.
  • Identify which messages sent from your organization pass or fail authentication checks (SPF or DKIM, or both).

DMARC reports are hard to read and interpret for most people. Learn more about using DMARC reports.

What you need to do


Before you set up DMARC

  • Set up SPF and DKIM for your domain
  • Set up a group or mailbox for DMARC reports
  • Get your domain host sign-in information
  • Check for an existing DMARC record (optional)
  • Make sure third-party mail is authenticated

For details, go to Before you set up DMARC.


Define your DMARC policy record

  • DMARC policy options
  • DMARC alignment options
  • DMARC report options

For details, go to Define your DMARC policy.


Add your DMARC record

  • Add or update your record
  • DMARC record format
  • DMARC record tags
  • Add domains or subdomains

For details, go to Add your DMARC record.


Tutorial: Recommended DMARC rollout

  1. Start with a relaxed DMARC policy
  2. Review DMARC reports
  3. Quarantine a small percentage of messages
  4. Reject all unauthenticated messages

For details, go to Tutorial: Recommended DMARC rollout.


DMARC reports

  • Who should use DMARC reports
  • Create a dedicated group or mailbox for your reports
  • Get help from a third-party service (recommended)
  • Reading your DMARC reports

For details, go to DMARC reports.


Troubleshoot DMARC issues

  • Verify messages pass authentication
  • Check your mail sending practices
  • Get more information with Email Log Search
  • Follow recommended troubleshooting steps

For details, go to Troubleshoot DMARC.


Related topics

Was this helpful?
How can we improve it?