Do I need DMARC if I don't send marketing email?

Yes. Spoofing attacks target every domain. Even transactional-only domains should configure DMARC with at least p=none.

Will DMARC break my email deliverability?

Only if misconfigured. Start with p=none, fix all sources, then tighten policy gradually.

What is DMARC alignment?

It ensures SPF or DKIM domain aligns with the From: domain to prevent spoofing.

What Is DMARC and Why Every Domain Needs It

DMARC is one of the most important email security mechanisms that most domain owners have never configured. Without it, anyone can send email that appears to come from your domain. With it, you can prevent spoofing and get detailed reports on who is sending email on your behalf.

This matters whether you send a hundred emails a month or a million. You can verify your domain's DNS setup using our WHOIS Lookup tool.

The Email Authentication Stack

DMARC works alongside two other standards. You need all three.

SPF (Sender Policy Framework)

A TXT record listing IP addresses authorised to send email for your domain.

v=spf1 include:_spf.google.com ~all

DKIM (DomainKeys Identified Mail)

Adds a cryptographic signature to outgoing emails. The public key is published in DNS. Receiving servers verify the signature to confirm the email genuinely came from your infrastructure.

DMARC

Ties SPF and DKIM together and tells receiving servers what to do when they fail. Published as a TXT record on _dmarc.yourdomain.com.

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100

DMARC Policy Options

p=none — Monitor only. Failing messages are delivered normally but reports are sent. Always start here. p=quarantine — Failing messages go to spam/junk. p=reject — Failing messages are rejected outright. Maximum protection. Only use once all legitimate email passes authentication.

Start with p=none, collect reports for 2-4 weeks, fix legitimate sources that are failing, then move to quarantine, then reject.

DMARC Reports

The rua= tag specifies where to send aggregate reports. These XML reports arrive daily and show every IP that sent email claiming to be from your domain — including whether they passed SPF and DKIM.

Use a DMARC report analyser (Postmark, Dmarcian, EasyDMARC all have free tiers) to turn the XML into readable tables. The reports are invaluable for discovering third-party services sending on your behalf that you forgot to add to SPF.

Check your domain's DNS records and nameserver configuration

Try WHOIS Lookup Free →

FAQs

Yes. Spoofing attacks target every domain, not just high-volume senders. A domain with no DMARC record is easier to spoof. Even if you only send transactional emails, attackers can use your domain in phishing campaigns targeting your users. At minimum set p=none and add an rua= address to start receiving reports.

Only if you set p=reject before ensuring all legitimate sending sources pass authentication. That is why starting with p=none is essential. Collect reports, identify everything that sends on your behalf, add them to SPF and configure DKIM, then gradually tighten the policy.

DMARC requires that the domain in SPF or DKIM aligns with the From: domain. Strict alignment requires an exact match. Relaxed alignment (default) allows subdomains. This prevents attackers from passing SPF with a different domain while spoofing your From: address.