What is DMARC (Domain-based Message Authentication, Reporting, and Conformance)?

Turkish: DMARC

DMARC combines SPF and DKIM results with domain policy and reporting so email senders can reduce spoofing and phishing risk.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email security standard that combines SPF and DKIM authentication results with a domain-level policy. It tells receiving mail servers what to do with messages that fail checks for a domain.

For example, if an attacker tries to send invoice email while impersonating a company domain, a DMARC record can tell receivers to only report the message, quarantine it, or reject it. Domain owners gain both an enforcement policy and visibility through reports.

How Does It Work?

DMARC is published as a DNS TXT record. The record can include a policy (p=none, p=quarantine, p=reject), report addresses (rua, optionally ruf), and alignment settings.

DMARC checks two main conditions:

  • Does the message pass SPF or DKIM?
  • Does the passing result align with the visible From domain?

The second condition matters because a service may technically pass SPF or DKIM while being unrelated to the domain shown to the user.

Setup and Risk Management

DMARC is often started with p=none for monitoring. Reports are reviewed, legitimate senders are brought fully under SPF/DKIM coverage, and the policy is then moved gradually toward quarantine and reject.

SPF validates sender IP authorization, while DKIM validates a domain signature on the message. DMARC turns those results into a domain policy. Misconfiguration can reject legitimate mail, so marketing, transactional email, and corporate mail sources should be inventoried together.