Fundamentals

What Is DMARC? The Complete Guide for 2026

DMARC prevents email spoofing by letting domain owners control what happens when authentication fails. In 2026, it's no longer optional — Google, Yahoo, and Microsoft require it for bulk senders.

April 8, 202612 min read

The email authentication problem

Email was designed in the 1980s without authentication. The "From" header in an email is as trustworthy as the return address on a physical envelope — anyone can write anything. This design flaw enables email spoofing: sending messages that appear to come from your domain when they actually come from an attacker.

Business Email Compromise (BEC) exploiting spoofed domains cost organizations over $6 billion in 2024 (FBI IC3). DMARC, combined with SPF and DKIM, is the industry standard for stopping it.

How DMARC works

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on two existing protocols:

  • SPF (Sender Policy Framework) — verifies the sending server's IP address is authorized by the domain owner
  • DKIM (DomainKeys Identified Mail) — verifies the email hasn't been tampered with using a cryptographic signature

DMARC adds two critical pieces: alignment (the From header domain must match the SPF/DKIM domain) and policy (what to do when authentication fails: none, quarantine, or reject).

Sending Serveryour-domain.comSPF CheckIP authorized?DKIM CheckSignature valid?DMARC PolicyAligned?Receiving ServerEvaluate resultsApply DMARC policyDeliveredQuarantinedRejectedAggregate Report (RUA)

The three DMARC policies

Your DMARC record tells receiving servers what to do when a message fails authentication:

p=nonep=quarantinep=rejectMonitorCollect reports onlyNo mail is blockedSafe starting pointRisk: NoneQuarantineSuspicious mail to spamLegitimate mail may be affectedIntermediate enforcementRisk: MediumRejectSpoofed mail blocked entirelyMaximum protectionRequires full sender alignmentRisk: Low (when ready)

p=none (monitor)

The starting point. Receiving servers send you aggregate reports about who is sending email using your domain, but take no enforcement action. This gives you visibility into all sending sources before you start blocking anything.

p=quarantine (flag)

Messages that fail DMARC are sent to the recipient's spam folder. This protects recipients while allowing you to identify any legitimate senders that aren't properly aligned. Use percentage ramps (pct=25) to roll out gradually.

p=reject (enforce)

Messages that fail DMARC are rejected entirely — they never reach the inbox or spam folder. This is the strongest protection and the end goal of every DMARC deployment. In 2026, major mailbox providers increasingly require it for bulk senders.

Why DMARC is mandatory in 2026

Starting in 2024, Google and Yahoo began requiring SPF, DKIM, and DMARC for anyone sending more than 5,000 messages per day. Microsoft followed with similar requirements. Non-compliant mail is rejected or junked — no exceptions.

Regulatory pressure is also mounting:

  • NIS2 (EU) drives DMARC adoption in critical infrastructure
  • PCI-DSS 4.0 includes anti-phishing requirements
  • CISA BOD 18-01 mandates DMARC for US federal agencies
  • Australia ASD Essential Eight includes email authentication as a baseline control

Getting started

The fastest way to assess your current DMARC posture is to run a free domain check:

Free Domain CheckDMARC Checker

SpoofSentry scores your domain across 9 dimensions, identifies gaps, and provides a step-by-step enforcement plan with simulation and rollback — so you can move to p=reject without breaking legitimate mail.

What Is DMARC? The Complete Guide for 2026 | SpoofSentry | SpoofSentry