DMARC
EmailDMARC is an email authentication standard that helps domain owners prevent spoofing and reduce phishing by aligning SPF and DKIM results with the visible From address. It lets you publish a DNS policy telling receiving mail servers whether to accept, quarantine, or reject messages that fail checks. DMARC also enables reporting so you can monitor authentication failures and legitimate senders.
How It Works
DMARC builds on SPF and DKIM. When an email arrives, the receiving server checks whether the message passes SPF (the sending IP is authorized for the domain) and/or DKIM (the message has a valid cryptographic signature). DMARC then adds an alignment requirement: the domain validated by SPF and/or DKIM must match (or be a subdomain of, depending on settings) the domain shown in the visible From header that users see in their inbox.
A DMARC record is published in DNS at _dmarc.yourdomain.tld as a TXT record. It includes a policy (p=none, quarantine, or reject), optional subdomain policy (sp=), and reporting addresses for aggregate (rua=) and forensic (ruf=) reports. Starting with p=none lets you observe failures without blocking mail, then you can move to quarantine or reject once legitimate senders are correctly configured with SPF and DKIM.
Why It Matters for Web Hosting
DMARC affects deliverability and brand protection, both of which depend on your hosting and DNS setup. If your host handles email, you need easy access to DNS records, support for DKIM signing, and clear guidance for SPF includes and sending IPs. When comparing hosting plans, prioritize providers that make DNS management, DKIM key rotation, and troubleshooting of authentication failures straightforward, especially if you send transactional mail from web apps.
Common Use Cases
- Reducing phishing and spoofing of a business domain by enforcing p=quarantine or p=reject
- Improving inbox placement by ensuring SPF/DKIM alignment for marketing and transactional email
- Monitoring third-party senders (CRMs, ticketing systems, newsletter tools) via DMARC aggregate reports
- Protecting high-risk domains (finance, support, HR) where impersonation attempts are common
- Validating email configuration changes after migrating DNS, hosting, or mail services
DMARC vs SPF
SPF authorizes which servers may send mail for a domain, but it does not require the SPF-authenticated domain to match the visible From address, and it can break with forwarding. DMARC adds alignment and a clear policy for receivers (none/quarantine/reject), and it can pass if either SPF or DKIM passes with alignment. In practice, SPF is necessary but not sufficient for strong anti-spoofing without DMARC.