Glossary

DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on SPF and DKIM by specifying what receiving mail servers should do when an email fails authentication checks — reject it, quarantine it, or allow it through — and by sending reports back to the domain owner about authentication outcomes.

Get Started

Read more terms

DMARC adds two critical capabilities that SPF and DKIM lack: policy enforcement and reporting. The policy component tells receiving servers what to do with emails that fail SPF or DKIM alignment — p=none (monitor but take no action), p=quarantine (send to spam), or p=reject (block entirely). The reporting component sends daily aggregate reports (RUA) and forensic failure reports (RUF) back to the domain owner, providing visibility into what email is being sent in their name and whether authentication is working correctly. A DMARC record also requires alignment — the domain in the From header must match either the SPF envelope domain (SPF alignment) or the DKIM signing domain (DKIM alignment). This alignment requirement closes the loophole where a sender could pass SPF for a different domain while spoofing the visible From address. Without DMARC, an email could pass SPF checks by sending from an authorized server but display a completely different From address to the recipient. For outbound sales teams, DMARC is the final layer of email authentication that ties everything together. Google and Yahoo require a DMARC policy of at least p=none for all bulk senders. Teams using Outvid who want to ensure their personalized video outreach campaigns are maximally protected should implement DMARC at p=quarantine or p=reject and monitor their aggregate reports regularly to catch authentication issues before they affect deliverability.

What should I know about DMARC?

Three Policy Levels: None, Quarantine, Reject

p=none monitors without action, making it ideal for initial deployment. p=quarantine sends failing emails to spam. p=reject blocks failing emails entirely. Moving from none to reject over time is the recommended path to full protection.

DMARC Reports Show What Is Being Sent in Your Name

Daily aggregate DMARC reports reveal every IP address claiming to send email from your domain and whether those emails are passing or failing authentication — surfacing both misconfiguration and spoofing attempts.

DMARC Alignment Closes the SPF Spoofing Gap

DMARC requires that the visible From address aligns with the domain that passed SPF or DKIM. Without this alignment check, attackers can pass SPF by sending from an authorized server while displaying a spoofed address to recipients.

How is DMARC used in practice?

Progressive DMARC deployment for a sales team

A team deploys DMARC in stages. Month 1: v=DMARC1; p=none; rua=mailto:dmarc@company.com — monitoring only. They review aggregate reports weekly and fix authentication failures in their sending tools. Month 2: p=quarantine; pct=25 — quarantine failing emails for 25% of traffic while monitoring the impact. Month 3: p=reject — full enforcement after confirming all legitimate senders are passing correctly.

Using DMARC reports to detect domain spoofing

A company receives their weekly DMARC aggregate report and notices an unfamiliar IP address in Brazil sending thousands of emails claiming to be from their domain. Because their DMARC policy is set to p=reject, those spoofed emails are being blocked by receiving servers. Without DMARC, those spoofed emails would have been delivered, potentially damaging their domain's sender reputation.

Frequently asked questions

What is the minimum DMARC policy required by Google and Yahoo?

Google and Yahoo's 2024 requirements mandate a DMARC policy of at least p=none for all bulk senders (over 5,000 emails per day). While p=none provides no active enforcement, it satisfies the requirement and is the starting point before moving to quarantine or reject.

What is the difference between RUA and RUF DMARC reports?

RUA (aggregate) reports are daily summaries of all email authentication outcomes for your domain, showing sending sources, pass/fail rates, and volumes. RUF (forensic) reports are sent for individual failures and include headers from the failing email. RUA reports are always recommended; RUF reports are optional and contain more sensitive data.

How long does DMARC take to implement fully?

Publishing the initial DMARC DNS record takes minutes. Analyzing reports, fixing authentication issues across all sending sources, and gaining confidence to move to p=reject typically takes 4-8 weeks for organizations with multiple email service providers and complex sending infrastructure.

Learn more

Email Authentication SPF Record DKIM Sender Reputation Product-Led Growth (PLG)How to Use Social Selling on LinkedIn

Protect Your Domain While Scaling Video Outreach

Outvid pairs personalized AI video with deliverability best practices — including guidance on DMARC, SPF, and DKIM — so your outreach reaches inboxes at scale.