Audit your domain

DMARC Policy

Protect against email spoofing and phishing

Back to Email & Reputation

What we check

We verify your domain has a DMARC policy configured

We verify your domain has a DMARC (Domain-based Message Authentication, Reporting and Conformance) policy configured to protect against email spoofing. DMARC builds on SPF and DKIM to tell receiving servers how to handle fraudulent emails claiming to be from your domain.

Security Impact

Why DMARC is critical for email security

Attackers can impersonate your domain

Without DMARC, attackers can send phishing emails that appear to be from your domain. DMARC tells receiving servers to reject or quarantine these fraudulent messages.

Phishing damages brand reputation

When customers receive phishing emails from your domain, they lose trust. DMARC protects your brand by preventing domain spoofing.

DMARC provides visibility

DMARC reports show you who is sending email using your domain, helping detect unauthorized use and authentication issues.

Improves email deliverability

Major email providers (Gmail, Outlook, Yahoo) favor domains with DMARC policies. Having DMARC improves deliverability of your legitimate emails.

Implementation

How to implement DMARC

With Httpeace

Httpeace automatically checks your DMARC policy configuration:

  • Add your domain to Httpeace
  • We check for DMARC records automatically every day
  • Get instant alerts if DMARC is missing or using weak policies
  • See recommended DMARC configuration steps in your dashboard

Without Httpeace

Manual DMARC implementation requires careful planning and gradual rollout:

# Check DMARC record
dig TXT _dmarc.yourdomain.com

# Test DMARC configuration
# Visit: https://mxtoolbox.com/dmarc.aspx

# Send test email and check headers
# Look for "dmarc=pass" in authentication results

# Monitor DMARC reports
# Set up email address to receive rua reports

You'll need to:

  • Ensure SPF and DKIM are configured first (DMARC depends on them)
  • Create TXT record at _dmarc.yourdomain.com subdomain
  • Start with p=none to monitor without affecting delivery
  • Set up email address to receive aggregate reports (rua=)
  • Wait 1-2 weeks collecting reports to understand email sources
  • Analyze DMARC reports to identify authentication failures
  • Fix SPF/DKIM issues for legitimate email sources
  • Gradually enforce with p=quarantine at low percentage (pct=10)
  • Monitor for false positives and delivery issues
  • Increase percentage gradually: 10% → 25% → 50% → 100%
  • Move to p=reject only after thorough testing with quarantine
  • Configure subdomain policy (sp=) if needed
  • Set up forensic reports (ruf=) for detailed failure data
  • Monitor ongoing DMARC reports for new authentication issues
  • Update DMARC policy when adding new email services

DMARC rollout is complex and risky. Moving too fast can block legitimate emails. Going too slow leaves your domain vulnerable to spoofing. Proper implementation requires weeks of careful monitoring and gradual enforcement.

FAQ

Frequently asked questions

What is DMARC?

DMARC is an email authentication protocol that uses SPF and DKIM to verify email senders. It tells receiving servers what to do with emails that fail authentication (none/quarantine/reject) and provides reports on email authentication results.

Do I need both SPF and DKIM for DMARC?

No, DMARC requires either SPF or DKIM to pass (not both). However, best practice is to implement both for maximum protection and deliverability.

What is the difference between p=quarantine and p=reject?

p=quarantine tells receiving servers to mark failing emails as spam but still deliver them. p=reject tells servers to completely block failing emails. Start with p=none (monitoring), then p=quarantine, and finally p=reject.

What are DMARC reports?

DMARC reports show which servers are sending email using your domain and whether they pass authentication. Aggregate reports (rua) provide daily summaries. Forensic reports (ruf) provide samples of failing messages.

How often does Httpeace check DMARC?

We check your DMARC record daily. We verify it exists, is properly formatted, and follows best practices. We alert you if DMARC is missing, misconfigured, or using an overly permissive policy.

Related checks

Other checks in this category

SPF Configuration

Prevent spammers from forging your domain with SPF records.

DKIM Signature

Prove email authenticity and improve deliverability.

Domain Reputation

Stay off blacklists and maintain deliverability.

SPF Record Errors

Catch syntax errors that break email authentication.

View all Email & Reputation checks

Peace of mind for your domains.

Start monitoring today and prevent outages, hacks, and costly mistakes.

Audit your domain — it's freeTalk to us