DMARC (Domain-based Message Authentication)

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email-authentication standard, published as a DNS TXT record, that tells receiving mail servers what to do when a message claiming to be from your domain fails SPF and/or DKIM checks. It builds on those two protocols by adding alignment (the authenticated domain must match the visible From: address), a published policy, and reporting so you get visibility into who is sending mail as you.

Why it matters

SPF and DKIM each authenticate a piece of the message, but neither protects the From: header your recipients actually see. DMARC closes that gap. Without it, attackers can spoof your exact domain in phishing and business-email-compromise campaigns. With a p=reject policy in place, mailbox providers drop or quarantine those forgeries before they reach an inbox. DMARC also delivers aggregate (and optionally forensic) reports, turning email authentication from a blind configuration into a monitored control.

How it works

1. A receiving server looks up the _dmarc.<yourdomain> TXT record.
2. It checks whether SPF and DKIM passed and whether the passing domain aligns with the From: domain.
3. If neither aligned check passes, the receiver applies your published policy: p=none (monitor only), p=quarantine (send to spam), or p=reject (refuse delivery).
4. Receivers send aggregate XML reports to the address in your rua= tag, showing pass/fail volumes per source IP.

A concrete example

A typical record looks like:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100; adkim=s; aspf=s

This enforces rejection on 100% of failing mail, sends aggregate reports to a monitoring inbox, and requires strict alignment. A common rollout starts at p=none to gather reports, moves to p=quarantine with a partial pct=, then graduates to p=reject once legitimate senders are accounted for.

How it appears on your external attack surface

DMARC is a public DNS record, so its presence, syntax, and policy strength are part of your externally observable posture — anyone, including an attacker selecting a spoofing target, can read it. The two most common exposures are a missing record (the domain is wide open to direct spoofing) and a record stuck at policy p=none, which monitors but never blocks. Misconfigurations like an unparseable record or a missing rua= reporting address also weaken the control.

How FortWatch helps

FortWatch's DNS monitoring scanner checks each of your domains for DMARC presence, parses the policy, and flags weak or missing configurations alongside related DNS hygiene findings such as SPF and DKIM. Severity reflects mail context: a sending domain with no enforcement is treated as a real finding, while a non-mail domain is scored accordingly. Each result comes with AI remediation showing the exact record to publish. For a deeper walkthrough see our complete guide to DMARC, or test a single domain instantly with the DMARC/SPF checker.