Sendmarc’s DMARC management platform delivers enterprise-grade features to enforce, monitor, and optimize DMARC across any domain environment.
With fanatical support, audited security controls, and unlimited scalability, Sendmarc is built for organizations that take email authentication seriously.
Whether securing a few domains or thousands, Sendmarc provides the infrastructure, visibility, and assurance required to meet any DMARC requirements.
Enterprise features for all
DMARC, SPF, DKIM, BIMI, MTA-STS, and TLS-RPT management with advanced reporting, policy control, and threat intelligence.
Unbeatable support
Sendmarc guarantees DMARC compliance on time and on budget – we promise full protection within 90 days* for businesses of all sizes.
*For customers on Sendmarc’s Premium Plan, subject to the number of domains.
Certified, compliant, & secure
ISO 27001 and SOC 2 certified, Sendmarc offers world-class data security, internal controls, and auditing capabilities; we’ve created our platform with privacy and integrity in mind.
Limitless scale
Scale up to the demands of global enterprises; manage millions of records and thousands of domains with a built-in ranking structure and access control.
Get instant access to Sendmarc’s DMARC management platform
Input your business and domain details
Connect with us to get support during your DMARC journey and guarantee success
Page contents
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol that builds on Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to help secure your organization’s domain and stop cybercriminals from using it in email impersonation and spoofing attacks.
If your business sets up a DMARC record in its DNS, it can monitor services sending email from its domain and enforce policies that prevent spoofing and impersonation.
Sendmarc’s DMARC management platform provides everything your company needs to manage DMARC, SPF, DKIM, Mail Transfer Agent Strict Transport Security (MTA-STS), Transport Layer Security Reporting (TLS-RPT), and Brand Indicators for Message Identification (BIMI), supported by Sendmarc’s award-winning DMARC implementation services.
Email communication wasn’t originally created with identity verification in mind. This means cybercriminals can send emails from your organization’s domain and target customers, employees, or suppliers.
Traditional email security tools primarily protect internal users. This leaves external recipients, such as customers and suppliers, vulnerable to spoofed emails.
DMARC uses SPF and DKIM results to check if a message should be trusted.
Here’s how it works:
A DMARC record is published in your business’s domain DNS settings as a TXT record. Below are examples of both a basic and an advanced DMARC record.
Host | Type | Value |
---|---|---|
_dmarc.yourdomain.com | TXT | v=DMARC1; p=reject; rua=mailto:[email protected]; fo=1; |
This record tells email providers to reject unauthenticated messages and send aggregate reports to [email protected].
Host | Type | Value |
---|---|---|
_dmarc.yourdomain.com | TXT | v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=reject; aspf=s; adkim=s; fo=1; |
This advanced DMARC record applies a policy of p=quarantine to all unauthenticated messages. It sends aggregate reports to [email protected] and forensic reports to [email protected]. It also enforces a policy of p=reject on subdomains, uses strict alignment for SPF and DKIM, and enables failure reporting.
Host | Type | Value |
---|---|---|
_dmarc.yourdomain.com | TXT | v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=reject; aspf=s; adkim=s; fo=1; |
It is best to start with p=none to collect data before moving toward stricter enforcement.
Choose an inbox to receive aggregate DMARC reports, for example, rua=mailto:[email protected].
Make sure this inbox can process XML-formatted data. For proper alignment, the domain of the reporting address should match your company’s sending domain.
Host | Type | Value |
---|---|---|
_dmarc.yourdomain.com | TXT | v=DMARC1; p=none; rua=mailto:[email protected]; |
Use Sendmarc’s DMARC policy manager to generate, validate, and publish your organization’s record correctly.
Your business will start receiving DMARC reports within 24 to 48 hours. These XML-based reports can be difficult to read manually. Our DMARC analyzer automatically processes DMARC data, providing clear, actionable insights to help your company identify unauthorized senders, monitor compliance, and move toward full protection.
Implementing DMARC can significantly improve the security, deliverability, and visibility of your organization’s email.
With DMARC in place, your organization’s email becomes a trusted source, strengthening brand reputation and minimizing email-based threats.
The most critical DMARC mistake is moving to a p=reject policy too quickly without analyzing your business’s DMARC reports. If a legitimate email service doesn’t have properly aligned SPF or DKIM records, those messages will fail authentication checks. As a result, legitimate emails may be rejected by receiving servers, which can negatively impact operations and email deliverability.
RUA
address for DMARC reportspct
) value, leading to unexpected policy applicationIf your company needs help with DMARC implementation or configuration, Sendmarc’s award-winning support team is here to assist. Our DMARC management platform ensures safe and correct configuration from the start.
DMARC is an email authentication protocol that builds on SPF and DKIM to protect your organization’s domain from impersonation and spoofing attacks. While these three standards are related, they serve different purposes. The table below outlines their functions and how each is configured.
Protocol | Purpose | Configuration |
SPF | Authorizes sending IPs | DNS TXT record |
DKIM | Digitally signs messages | Email headers & DNS TXT record |
DMARC | Enforces policy and reports | DNS TXT record |
Using DMARC, SPF, and DKIM together creates a strong foundation for preventing email impersonation and spoofing. It also enhances the effectiveness of your business’s overall email security strategy.
A DMARC record is a DNS TXT entry that tells receiving servers how to handle unauthenticated messages and where to send reports.
Yes. DMARC aligns SPF and DKIM with the domain in the ‘From’ header and adds policy enforcement and reporting capabilities.
No, only one DMARC record is allowed per domain. Subdomains can have their own DMARC records, which might be different from the policy set on the root domain.
A DMARC fail means the message failed both SPF and DKIM alignment checks and didn’t comply with the domain’s DMARC policy.
Use Sendmarc’s DMARC checker to test and validate your company’s setup.
Incorrect DMARC policies can block valid messages or may fail to prevent spoofing. Start with a p=none policy, then progress to p=quarantine or p=reject.
DMARC significantly reduces domain spoofing but should be part of a wider security strategy that includes user training.
Check out how Sendmarc simplifies the implementation and management of DMARC.