DMARC is an email authentication policy that specifies how receivers should handle emails that fail SPF or DKIM checks.

What is the difference between p=none and p=reject?

p=none monitors failures without blocking. p=reject blocks all unauthenticated emails from your domain.

Why is my DMARC failing even though SPF and DKIM pass?

DMARC requires alignment — the From: domain must match the SPF or DKIM domain. Third-party senders often require additional CNAME records for alignment.

Glossary

DMARC — What It Is and How to Implement It

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication policy that tells receiving mail servers what to do when an email fails SPF or DKIM checks — either monitor, quarantine, or reject it. DMARC also enables aggregate reporting so you can see who is sending email using your domain.

DMARC Policies

p=none: Monitor only. Failed emails are delivered but reported.
p=quarantine: Failed emails go to spam.
p=reject: Failed emails are blocked entirely.

DMARC Alignment

DMARC alignment requires that the domain in the From: header matches the domain used for SPF or DKIM authentication. Misalignment is the most common cause of DMARC failures when using third-party email providers.

DMARC Reports

DMARC aggregate reports (rua=) are sent daily by major email providers like Google and Microsoft. They show every IP that sent email using your domain and whether SPF/DKIM passed.

How to Check Your DMARC

Use DomainPreflight to check your DMARC policy and analyze aggregate XML reports.

DMARC policy and report analysis

Open DMARC Report Analyzer →