DMARC Records are published via DNS as a text(TXT) record. They will let receiving servers know what they should do with non-aligned email received from your domain.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism for improving mail handling by mail-receiving organizations. The ultimate purpose of DMARC, according to RFC-7489 is to provide a “mechanism by which email operators leverage existing authentication and policy advertisement technologies to enable both message-stream feedback and enforcement of policies against unauthenticated email. Email originating organizations utilize DMARC in order to express domain-level distribution policies/preferences for message validation, disposition, and reporting.
DMARC adoption has risen dramatically and has a positive or negative impact on your email deliverability. All of the major email providers support DMARC. By some measures, 80% of mailboxes worldwide are protected by DMARC.
DMARC dramatically improves on SPF and DKIM by letting you:
It only takes a few minutes to get started with DMARC and you’ll see immediate benefits. The first thing you need to do is add a simple DNS record to enable DMARC reporting. If you would like MxToolBox to handle your DMARC reporting for you, just add this simple text (TXT) record to your domain’s DNS.
To pass DMARC authentication, a message must both Pass and Align for either SPF or DKIM. Even if a message passed authentication for both SPF and DKIM, it could still fail DMARC authentication if one of them does not "align".
There are two ways to pass DMARC authentication:
meaning the message was delivered from an IP address published in the SPF policy of the the SMTP envelope "mail from:" (mfrom) domain,
- and also -
meaning the <From:> header visible to the end user matches the domain used to authenticate SPF. (e.g. the envelope "mail from:" domain)
- OR -
meaning the message was correctly signed by the d= domain in the DKIM header,
meaning the <From:> header visible to the end user matches the d= domain in the DKIM header.
When a message is aligned, the end user recipient knows who really sent the message.
SPF and DKIM are only authentication mechanisms. Passing SPF or DKIM authentication only means the receiving organization can identify the real sending domain. But typically, the end user receiving the message never sees this domain. Instead, they see the "From:" address in the email header.
So it’s possible for a message to pass both SPF and DKIM authentication, but still trick the end user to thinking it came from someone else (i.e. spoofing). When a message is aligned, the friendly <From:> domain visible in the email client matches the domain used to authenticate with SPF or DKIM.
If a message fails DMARC authentication, the receiving organization should honor the "disposition" you publish in your DMARC policy. This is the p= value in your DMARC record: