What is DMARC?
DMARC—which stands for Domain-based Message Authentication, Reporting, and Conformance—is the final piece of your email authentication puzzle. While SPF and DKIM work independently to verify your emails, DMARC brings them together and tells receiving email servers exactly what to do when something doesn’t check out.
Here’s a simple way to think about how these three protocols work together. SPF is like showing your ID at the door, saying “I’m allowed to send mail from this address.” DKIM is like having a wax seal on your letter that proves it hasn’t been tampered with. DMARC is the bouncer who checks both your ID and your seal, then follows your specific instructions about what to do if either one is fake—whether that’s letting you in anyway, putting you in the “maybe” pile, or turning you away completely.
What makes DMARC particularly powerful is the reporting component. It sends you daily reports showing every single email sent using your domain name, whether you sent it or not. This visibility is invaluable for both security and deliverability.
Why DMARC Matters for Cold Email
When you’re sending cold email, you’re essentially asking inbox providers to trust you with their users’ attention. You’re a stranger knocking on their door. DMARC is one of the strongest signals you can send that you’re legitimate.
First, it completes your authentication stack. Modern email providers expect to see all three protocols in place: SPF, DKIM, and DMARC. Having just two out of three is like showing up to a formal event in a tuxedo and sneakers. You’ve made an effort, but something’s clearly missing.
Second, DMARC actively protects your domain reputation. Without it, anyone can attempt to send emails pretending to be you. Maybe it’s a competitor trying to tarnish your name, or a scammer using your domain for phishing. DMARC lets you tell Gmail, Outlook, and every other email provider: “If someone sends email claiming to be from my domain and they fail authentication, block them.” This protection becomes increasingly valuable as your brand grows.
Third, DMARC gives you visibility into your email ecosystem that you simply can’t get any other way. Those daily reports reveal every service, tool, and system sending email on your behalf. You might discover that the marketing automation platform you set up two years ago and forgot about is still sending emails that fail authentication. Or that someone’s attempting to spoof your domain from IP addresses in countries you don’t operate in. This intelligence is gold.
Finally, domains with DMARC enforcement—meaning policies set to quarantine or reject—consistently see better inbox placement rates. It’s a trust signal. You’re telling email providers: “I take security seriously enough to risk blocking my own email if it’s not properly authenticated.” That commitment matters.
Before You Set Up DMARC
DMARC won’t work properly unless you’ve already configured SPF and DKIM. This isn’t optional. DMARC’s entire job is to check whether SPF and DKIM pass, so if they’re not set up yet, start there first.
You’ll also need access to your domain’s DNS settings. This is where you’ll add the DMARC record, just like you did for SPF and DKIM. Make sure you can log into your DNS provider—whether that’s Cloudflare, GoDaddy, Namecheap, or wherever you manage your domain.
The order really does matter here. We’ve seen people try to set up DMARC first, only to discover weeks later that their SPF record was misconfigured the whole time. Fix the foundation before building on top of it.
Understanding DMARC Policies
DMARC has three policy levels, each representing a different level of enforcement. Think of them as three stages of trust.
The first stage is the “none” policy. When you set your DMARC policy to none, you’re basically saying “check my authentication, send me reports about what’s happening, but don’t actually block anything.” All email passes through regardless of whether it passes or fails authentication. This is your monitoring phase, and it’s where everyone should start. You’re gathering intelligence before making any enforcement decisions.
The second stage is “quarantine.” This is soft enforcement. Emails that fail authentication don’t get blocked entirely, but they get sent to the spam or junk folder instead of the inbox. It’s a middle ground that protects recipients while giving you room to identify and fix issues before they become critical. If you accidentally misconfigured something, emails still get delivered, just not to the inbox.
The third stage is “reject.” This is full enforcement, the final destination for your DMARC journey. When an email fails authentication and your policy is set to reject, receiving servers won’t deliver it at all. It gets blocked before the recipient ever sees it. This is the strongest possible protection and sends the clearest signal to email providers that you’re serious about security.
Setting Up Your First DMARC Record
Your DMARC record is a DNS TXT record that goes in a very specific location: underscore-dmarc.yourdomain.com. So if your domain is example.com, you’d add the record at underscore-dmarc.example.com.
For your first DMARC record, start with the monitoring policy. The record should include three essential components: the version tag set to DMARC1, the policy set to none, and a reporting address where you’ll receive aggregate reports. That reporting address is critical—without it, you’re flying blind.
Here’s what that looks like in practice. The version tag always reads “v=DMARC1” because that’s the current and only version of the protocol. The policy tag for monitoring is “p=none” telling servers not to take any action on failures. And the reporting tag looks like “rua=mailto:dmarc-reports@yourdomain.com” where you specify an email address to receive daily reports.
When you log into your DNS provider, you’ll add a new TXT record. The host or name field should be underscore-dmarc (some DNS providers want just underscore-dmarc, others want the full underscore-dmarc.yourdomain.com—check your provider’s documentation). The value field contains your DMARC policy string. Set the TTL to 3600 seconds, which is standard, then save.
Give it a few minutes to propagate, then verify it worked by heading to MX Toolbox’s DMARC lookup tool. Enter your domain and confirm it finds your DMARC record. If it doesn’t appear immediately, wait a bit longer—DNS changes can take up to 24 hours to fully propagate, though it’s usually much faster.
The DMARC Rollout Timeline
This is where patience becomes crucial. The biggest mistake people make with DMARC is rushing through the stages. Here’s the timeline that actually works.
Start with your monitoring policy set to none and stay there for at least two to four weeks. During this time, you’re collecting data. Those daily aggregate reports are showing you every email sent from your domain: your cold email platform, your internal email system, that automated notification service you set up months ago. You’re looking for patterns and, importantly, you’re looking for failures.
After two to four weeks of monitoring, review your reports thoroughly. Are all your legitimate email sources passing SPF and DKIM? If yes, you’re ready to move to quarantine. If no, now’s the time to fix those authentication issues before they start affecting delivery.
When you move to quarantine, update your DMARC record’s policy tag from “p=none” to “p=quarantine”. Add the percentage tag set to 100, which means apply this policy to all failing emails, not just a subset. Now you’re in soft enforcement mode. Emails that fail authentication go to spam instead of getting delivered normally.
Stay at quarantine for another two to four weeks. Keep monitoring those reports. Make sure nothing legitimate is being quarantined. If you see legitimate email landing in spam due to authentication failures, fix the authentication for that service, don’t lower your DMARC policy.
Finally, after you’re confident everything’s working smoothly, make the move to reject. Change your policy tag from “p=quarantine” to “p=reject”. Now you have maximum protection. Failed emails don’t get delivered at all. This is your end goal, but only after you’ve verified every legitimate email source is properly authenticated.
Making Sense of DMARC Reports
DMARC reports arrive daily as XML files, which are about as readable as ancient hieroglyphics if you try to parse them manually. The reports contain detailed information about every email sent using your domain: which IP addresses sent them, how many emails came from each source, whether SPF passed, whether DKIM passed, and what action was taken based on your policy.
Rather than wrestling with XML, use a DMARC reporting tool. Postmark offers free DMARC monitoring with weekly digest emails that summarize everything in plain English. DMARC Analyzer and Dmarcian both have free tiers that provide dashboards and alerts. These tools transform those cryptic XML reports into actionable intelligence.
What you’re looking for in these reports is consistency. Your legitimate sending sources should pass authentication every time. If you see intermittent failures from a service you recognize, that’s a configuration issue you need to fix. If you see unknown IP addresses sending large volumes of email as your domain, that’s potentially spoofing—someone impersonating you.
Here’s a real scenario: Let’s say you’re running cold email through a platform like Instantly or Smartlead. Your DMARC reports should show emails from that platform’s IP addresses with both SPF and DKIM passing. If you see those IPs with failures, it means something’s misconfigured—maybe your SPF record doesn’t include that platform, or DKIM signing isn’t properly set up. Fix it before moving to stricter enforcement.
DMARC Alignment Explained
DMARC doesn’t just check whether SPF and DKIM pass—it also checks alignment, which means the domains have to match in a specific way.
For SPF alignment, DMARC compares the domain in your “From” address with the domain in the “Return-Path.” These need to match, or at least align. There are two alignment modes: relaxed and strict. Relaxed alignment, which is the default, allows subdomains to align with the parent domain. If your email comes from mail.yourdomain.com and your Return-Path is yourdomain.com, relaxed alignment considers that a match. Strict alignment requires an exact match—mail.yourdomain.com would only align with mail.yourdomain.com.
DKIM alignment works similarly, comparing the domain in your “From” address with the domain in the DKIM signature. Again, relaxed mode allows subdomain alignment while strict requires exact matches.
For most cold email use cases, relaxed alignment is what you want. It’s more forgiving and handles the common scenario where your sending platform uses a subdomain for routing purposes. Only use strict alignment if you have specific security requirements that demand it, because strict alignment can cause legitimate email to fail DMARC checks.
Handling Subdomains
By default, any DMARC policy you set on your main domain automatically applies to all subdomains. If yourdomain.com has a reject policy, then mail.yourdomain.com also inherits that reject policy unless you specify otherwise.
You can set a different policy for subdomains using the subdomain policy tag. For example, you might want reject enforcement on your main domain but only quarantine on subdomains. This is useful if you’re more confident about authentication on your primary domain than on various subdomains.
Alternatively, you can create completely separate DMARC records for specific subdomains. If you’re using mail.yourdomain.com for cold email and want different reporting or different enforcement, create a DMARC record specifically at underscore-dmarc.mail.yourdomain.com with its own policy and reporting address.
Gradual Rollout with Percentage Tags
If you’re nervous about moving from none to quarantine or from quarantine to reject, DMARC offers a safety valve: the percentage tag. This lets you apply your enforcement policy to only a portion of failing emails.
Here’s how you might use it: Instead of immediately moving to full quarantine enforcement, set “p=quarantine; pct=25” which applies quarantine to only 25 percent of emails that fail authentication. Monitor for a week to make sure nothing breaks. Then increase to 50 percent, then 75 percent, then finally 100 percent.
This gradual approach reduces risk. If you have a misconfigured service that you somehow missed during monitoring, it won’t affect all your email at once. You’ll catch the issue while most of your email is still being delivered normally.
That said, if you’ve monitored thoroughly for the full recommended timeframe and fixed all identified issues, you can usually skip the percentage rollout and jump straight to 100 percent. The percentage approach is insurance for when you’re uncertain.
Common DMARC Mistakes to Avoid
The single biggest mistake is jumping straight to a reject policy without monitoring first. We’ve seen this happen when someone reads that reject is the “best” policy and decides to implement it immediately. Within hours, legitimate email is being blocked—customer notifications, internal communications, third-party services—because those systems weren’t properly authenticated. Always start with none, always monitor, always progress gradually.
The second common mistake is setting up DMARC without configuring a reporting address, or configuring one but never checking it. DMARC without reporting is like installing security cameras but never looking at the footage. You’re blind to what’s happening. Set up that reporting address, and actually review what it tells you.
Third is forgetting about third-party services. Your customer support platform sends email as your domain. Your CRM sends email as your domain. Your automated billing system sends email as your domain. If any of these aren’t properly authenticated and you move to reject, those emails start getting blocked. Review your reports thoroughly to identify every service before enforcement.
Fourth is using strict alignment when you don’t need it. Strict alignment sounds more secure, but it often breaks legitimate email for no real security benefit. Unless you have specific compliance requirements demanding strict alignment, stick with relaxed.
DMARC for Your Cold Email Domains
If you’re running cold email from secondary domains—which you absolutely should be—your DMARC strategy for those domains can be slightly different than for your primary company domain.
For cold email domains, we recommend aiming for quarantine as your standard enforcement level. It provides strong protection and sends a good deliverability signal without being quite as unforgiving as reject. Cold email often involves more moving parts, different sending platforms, testing new tools. Quarantine gives you a bit more breathing room.
That said, if you’ve been running a cold email domain for months, you’ve thoroughly monitored your authentication, and everything consistently passes, moving to reject can provide that extra deliverability boost. Just make sure you’re confident in your setup first.
The same monitoring and rollout process applies: start with none, collect reports for two to four weeks, fix any issues, move to quarantine, monitor again, and only then consider reject if your setup is rock solid.
Troubleshooting DMARC Issues
If you’re seeing DMARC failures in your email headers, the first step is checking whether SPF and DKIM are actually passing. DMARC can only pass if at least one of those passes with proper alignment. If SPF is failing, go fix your SPF record. If DKIM is failing, verify your DKIM signing is configured correctly.
If SPF and DKIM both show as passing but DMARC still fails, you have an alignment issue. Check that the domain in your “From” address matches the domain in your Return-Path for SPF alignment, and matches the domain in your DKIM signature for DKIM alignment.
If you’re not receiving DMARC reports at all, verify that your DMARC record actually includes the reporting tag pointing to a valid email address. Check your spam folder—sometimes the first few reports get filtered. And give it 24 to 48 hours after setting up DMARC before expecting the first reports to arrive.
If legitimate mail is being blocked after you moved to reject, immediately dial back your policy to quarantine or none while you investigate. Check your DMARC reports to identify which sending source is failing authentication, fix the authentication for that source, verify it’s passing, then re-enable reject.
Key Takeaways
DMARC is the final layer of email authentication that brings SPF and DKIM together into a cohesive security and deliverability framework. It requires that you have SPF and DKIM already configured and working properly—there’s no skipping steps here.
Start your DMARC journey with a monitoring policy set to none. Collect reports for two to four weeks to understand your email ecosystem and identify any authentication gaps. Fix those gaps before moving forward.
Progress to quarantine policy after you’ve verified all legitimate senders pass authentication. Stay there for another two to four weeks while monitoring continues. Only after you’re completely confident should you move to the final reject policy for maximum protection.
Use those DMARC reports religiously. They’re your window into who’s sending email as your domain and whether authentication is working. Set up a reporting tool to make sense of the data rather than trying to read raw XML files.
For cold email domains, quarantine provides strong protection and excellent deliverability signals. Move to reject only if you’re confident in your setup and want that extra edge.
The entire process takes four to eight weeks from start to finish if you do it right. That might feel slow, but rushing DMARC causes more problems than it solves. Take the time, follow the steps, and you’ll end up with properly authenticated email that inboxes actually want to receive.
Need Help With Email Authentication?
Setting up DMARC correctly requires careful monitoring, patience, and attention to detail. We’ve configured SPF, DKIM, and DMARC for hundreds of cold email domains, and we know exactly where things typically go wrong. If you want your email authentication done right the first time, book a call with our team.