What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's a DNS record you publish for your domain that tells the world's email providers what to do with messages that claim to come from your domain but fail authentication checks.
In plain terms: DMARC is how you tell Gmail, Microsoft, and Yahoo — "If someone sends an email claiming to be from catsnackjack.com and it doesn't pass our checks, here's what you should do with it."
Why it matters
Without DMARC, anyone can send an email that appears to come from your domain. The recipient sees from: [email protected] in their inbox, but the message was actually sent by a scammer. This is called email spoofing, and it's one of the most common ways businesses and their customers get defrauded.
DMARC closes that door. Once you've configured DMARC at enforcement level, receiving mail servers will reject or quarantine spoofed messages — they never reach the inbox.
The three DMARC policies
When you publish a DMARC record, you choose a policy that tells receiving servers what to do with failing messages:
| Policy | What it means | When to use it |
|---|---|---|
p=none | Monitor only — take no action on failing messages | When you're getting started and gathering data |
p=quarantine | Send failing messages to the spam folder | When you've classified all your senders and fixed authentication failures |
p=reject | Block failing messages entirely — they never reach the inbox | When you're confident all legitimate mail is passing |
Almost everyone starts at p=none. The goal is to reach p=reject.
What DMARC actually checks
DMARC doesn't check the message content. It checks whether the sending server is authorised to send on behalf of your domain, using two mechanisms:
- SPF — checks whether the sending IP address is authorised in your DNS
- DKIM — checks whether the message was cryptographically signed by your domain
For DMARC to pass, at least one of these must pass and the domain used must align with the domain in the From: header. This alignment requirement is what makes DMARC meaningful — it's not enough to just pass SPF or DKIM, it has to be for the right domain.
What DMARC reports contain
When you add a rua= tag to your DMARC record pointing to a mailbox, email providers send you daily aggregate reports. These XML files contain:
- Every IP address that sent mail claiming to be from your domain
- How many messages each IP sent
- Whether each message passed or failed SPF and DKIM
- What your policy said to do with failing messages
This is the raw data Sentura parses, processes, and turns into your dashboard.
The DMARC journey in four steps
- Publish a DMARC record at
p=nonewith arua=tag pointing to your mailbox - Gather reports — wait 24-48 hours for the first reports to arrive
- Classify your senders — identify every service sending email on your behalf
- Fix failures and enforce — resolve authentication issues, then move to
p=quarantineand eventuallyp=reject
Sentura guides you through every step.