Beta testing is now live. We are looking for beta testers - use the contact form to sign up.
DMARCHubDMARCHub
DMARC basics

What is DMARC?

Updated 4 June 2026 · 5 min read

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication standard. It tells the mail servers that receive your email two things: what to do when a message claiming to be from your domain fails its authentication checks, and where to send reports about that mail. In short, DMARC is how you find out who is sending email as your domain, and how you stop the ones who should not be.

What DMARC actually does

You publish a single DNS TXT record on your domain. That record sets a policy and a reporting address. From then on, every receiver that supports DMARC (Google, Microsoft, Yahoo and most of the rest) checks incoming mail against your policy and sends you a summary of what it saw. DMARC does not inspect message content; it works on the authentication result and the domain in the visible From address.

How DMARC builds on SPF and DKIM

SPF lets you list the servers allowed to send mail for your domain. DKIM attaches a cryptographic signature so a receiver can confirm a message was not altered in transit. Both are useful on their own, but neither says what a receiver should do on failure, and neither checks the address your recipients actually see. DMARC sits on top of both and adds that missing decision.

Alignment: the part people miss

DMARC introduces alignment. A message passes DMARC only if SPF or DKIM passes and the domain it authenticated matches the domain in the visible From header. This is what stops an attacker from passing SPF on their own domain while displaying yours. A message can pass SPF and still fail DMARC if the domains do not line up.

DMARC reports

There are two kinds. Aggregate reports (RUA) are daily XML summaries: which IP addresses sent mail as you, how much, and whether it passed. Forensic reports (RUF) are samples of individual failing messages. Aggregate reports are where the value is for most organisations - they show your legitimate senders and the spoofers side by side.

Why it matters

Without DMARC, anyone can put your domain in the From line of an email and most receivers will deliver it. That is the mechanism behind a large share of phishing and invoice fraud. With DMARC at a reject policy, those messages are refused at the door, and your reports tell you it is working. The path is always the same: monitor first, understand your real mail, then tighten the policy.

Frequently asked questions

Is DMARC mandatory?

DMARC is not a legal requirement, but since February 2024 Google and Yahoo require a DMARC record for anyone sending bulk email to their users. In practice, if you send marketing or transactional email at any volume, you need it.

Does DMARC stop all email spoofing?

DMARC stops attackers sending mail from your exact domain once you move to a reject policy. It does not stop lookalike domains (for example a misspelling of your domain), which are handled separately through monitoring and takedowns.

Do I need SPF and DKIM before DMARC?

Yes. DMARC does not authenticate mail on its own - it builds on SPF and DKIM. You publish those first, then add a DMARC record that decides what happens when they fail.

DMARCHub turns these reports into a clear picture, hosted in the UK.

See how DMARCHub helps