DMARC Explained 2025: What It Is, Benefits, Policies (None, Quarantine, Reject), Strict vs Relaxed + Real Examples
- Mithun GS
- Jun 1
- 3 min read
What is DMARC? (Simple Definition)
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.
It’s a free email security standard that:
Stops people from faking your email address
Tells Gmail, Outlook, etc. what to do with fake emails
Sends you daily reports on who’s using your domain
Think of DMARC as a "Do Not Impersonate" sign for your email domain.
You set it up with a single DNS TXT record at _dmarc.yourdomain.com.
Why Use DMARC in 2025? (Top 8 Benefits)
Benefit | Real-World Impact |
Stop Email Spoofing | Block fake CEO emails |
Prevent Phishing | 99% reduction in domain impersonation |
Boost Inbox Placement | Legit emails avoid spam |
Get Visibility | See every sender using your domain |
Meet Compliance | Required for HIPAA, NIST, SOC 2, PIPEDA |
Reduce Support Tickets | Fewer "I got a fake email" calls |
Protect Brand | Stop scammers damaging trust |
Free & Easy | No software needed |
Stat: 93% of companies with DMARC at p=reject report zero spoofing incidents (Valimail 2025)
DMARC Policies: p=none vs quarantine vs reject
Policy | What Happens to Failed Emails | When to Use |
p=none | Delivered normally | Start here – monitor only |
p=quarantine | Sent to spam | Mid-stage – test safely |
p=reject | Blocked completely | Final stage – full protection |
Never jump to reject — always start with none.
Strict vs Relaxed Alignment (adkim / aspf)
Mode | SPF Check | DKIM Check | Best For |
Relaxed (default) | Subdomains allowed | Subdomains allowed | 95% of users |
Strict (s) | Exact domain only | Exact domain only | High-risk domains |
Example:
From: support@shop.example.com SPF from: mail.example.com → Relaxed: PASS | Strict: FAIL
Use strict only if every email uses the exact same domain.
The pct= Tag: Roll Out DMARC Safely
Apply policy to only a percentage of failing emails.
pct=10 → Only 10% of fakes are blocked
pct=100 → Full enforcement
6-Week Rollout Plan
Week | Setting | Goal |
1–2 | p=none; pct=100 | Collect data |
3 | p=quarantine; pct=10 | Test 10% |
4 | pct=50 | Scale up |
5 | pct=100 | Full quarantine |
6 | p=reject; pct=100 | Max security |
Real Examples: What Happens in Each Policy
Scenario: Hacker sends fake invoice From: billing@yourcompany.com → Fails SPF & DKIM
1. p=none → Email Delivered
v=DMARC1; p=none; rua=mailto:reports@yourcompany.com
Email goes to inbox
You get a failure report
No action taken
Use this first — see who’s sending mail.
2. p=quarantine → Email Goes to Spam
v=DMARC1; p=quarantine; pct=100; rua=...
95% of users never see it
Marked as spam in Gmail/Yahoo
You still get reports
Safe middle ground
3. p=reject → Email Blocked
v=DMARC1; p=reject; pct=100; rua=...
Email never arrives
Server rejects it instantly
Zero risk to users
End goal for all domains
Sample DMARC Records (Copy & Paste)
# 1. Start Monitoring
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
# 2. Quarantine (10% Rollout)
_dmarc IN TXT "v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com"
# 3. Full Protection
_dmarc IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@yourdomain.com; ruf=mailto:failures@yourdomain.com"
# 4. Strict Mode
_dmarc IN TXT "v=DMARC1; p=reject; adkim=s; aspf=s; rua=..."
DMARC Reports: See Everything
Report | What You Get |
RUA | Daily summary (XML) – who passed/failed |
RUF | Failed email samples (optional) |
Free Tools to Read Reports:
Final Step: Add Your First DMARC Record
_dmarc.yourdomain.com IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
Log into your DNS provider (GoDaddy, Cloudflare, etc.)
Add TXT record
Wait 24–48 hours
Check with MXToolbox DMARC
Conclusion
DMARC is the #1 way to stop email spoofing in 2025.
Start with p=none → monitor → quarantine → reject.
No cost. No software. Just one DNS record.
Protect your brand today.
Comments