What is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the piece that ties SPF and DKIM to the From: address users actually see. It lets you tell receivers "if a message claims to be from my domain but neither SPF nor DKIM aligns, do this with it" — and get daily reports of who's trying.
The three things it adds
- Alignment. SPF/DKIM both authenticate envelope or signing identifiers — not the user-visible
From:. DMARC requires alignment between those identifiers and the From: domain. - Policy. What should receivers do with unauthenticated mail claiming to be you?
p=none(monitor),p=quarantine(junk it),p=reject(bounce it). - Reporting. Receivers send daily aggregate reports (XML) to your
rua=address listing every IP that sent mail claiming to be you, and whether SPF/DKIM passed.
A starter record
_dmarc.example.com TXT
"v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; pct=100"p=none doesn't block anything — it just turns on reporting. Once you've reviewed reports and authorized all your legitimate senders, move to p=quarantine, then p=reject. The DMARC rollout guide walks through the timeline.
Why "p=none + no rua" is the worst of both worlds
It blocks nothing AND gives you no visibility. If you're going to publish DMARC at all, publish a rua= address. Free aggregators like dmarcian, Postmark, or Reportify can parse the XML for you.
The pct trap
pct=50; p=reject doesn't mean "reject 50%." Per RFC 7489, receivers apply the next-most-lenient policy (quarantine) to the (100-pct)% not selected — so most spoofed mail still gets through. If you want to ramp up gradually, use p=quarantine; pct=50 instead.