Skip to main content
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that tells receiving mail servers what to do when an email fails SPF or DKIM checks. Setting up DMARC protects your domain from spoofing and improves deliverability.

How DMARC works with SPF and DKIM

ProtocolWhat it doesDMARC requirement
SPFVerifies the sending IP is authorized for the domainSPF-authenticated domain must align with the From domain
DKIMVerifies the email has not been tampered withDKIM-signed domain must align with the From domain
DMARCSets policy for emails that fail both SPF and DKIM alignmentPublished as a TXT record on _dmarc.yourdomain.com
DMARC requires either SPF or DKIM to pass and align with the From domain. You do not need both to pass, but both configured provides strongest protection.

Creating a DMARC record

A DMARC record is a TXT DNS record added to _dmarc.yourdomain.com.

Monitoring mode

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

Quarantine mode

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com

Reject mode

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com

Policy options

p=none

Monitor only. No action taken on failing emails. Start here to collect data.

p=quarantine

Send to spam. Failing emails go to the spam folder. Good intermediate step.

p=reject

Block entirely. Failing emails are rejected. Maximum protection.

Gradual enforcement path

1

Start with p=none

Publish a DMARC record with p=none and an rua address. Monitor aggregate reports for 2-4 weeks to identify all legitimate sending sources.
2

Fix authentication gaps

Review aggregate reports. Any legitimate service sending on your behalf must pass SPF or DKIM. Update DNS records as needed.
3

Move to p=quarantine with low pct

Change to p=quarantine; pct=10. Monitor for false positives.
4

Increase pct gradually

Raise pct from 10% to 25%, then 50%, then 100% over several weeks.
5

Move to p=reject

Once confident all legitimate sources pass, change to p=reject. Continue monitoring reports.

Monitoring with aggregate reports

Aggregate reports (rua) are XML files showing which IPs sent email using your domain and whether they passed SPF, DKIM, and DMARC. Use a free DMARC report analyzer (DMARC Analyzer, Postmark DMARC, dmarcian) to visualize the data.

Common mistakes

Skipping the monitoring phase blocks legitimate emails from services you forgot to authorize. Always start with p=none.
If you send from HoopAI, Google Workspace, and Mailgun, your SPF record must include all three.
Only one DMARC TXT record per domain. Multiple records cause unpredictable behavior.
The root domain policy applies to subdomains by default. Use the sp tag for different subdomain policies.
Continue monitoring even after reaching p=reject. New sending sources will fail DMARC if not added to SPF/DKIM.

Connecting DMARC to HoopAI

  1. Ensure SPF and DKIM records are configured for your sending domain (see Email & SMTP setup)
  2. Add a DMARC record to your root domain’s DNS
  3. Monitor reports to confirm HoopAI-sent emails pass DMARC alignment
  4. Gradually enforce your policy
Google and Yahoo require DMARC for domains sending more than 5,000 emails per day. Even at lower volumes, DMARC improves deliverability and protects your brand.
Last modified on March 6, 2026