[Last updated 07/12/2025]
DMARC: What It Is, Why You Need It, and How to Use It
What Is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an email security protocol that protects your domain from being used by spammers and scammers. DMARC works by telling email providers (like Gmail, Yahoo, Microsoft, and others) how to check if emails that claim to come from your domain are really from you—and what to do if they aren’t.
DMARC builds on two other technologies:
-
SPF (Sender Policy Framework)
-
DKIM (DomainKeys Identified Mail)
DMARC lets you:
-
Specify which email sources are allowed to send mail for your domain.
-
Get reports showing who is sending mail as your domain (both good and bad).
-
Tell email providers what to do with suspicious or fake messages.
Why DMARC Is Now Required
Major email providers—Google (Gmail), Yahoo, and Microsoft—now require DMARC for anyone sending large amounts of email (5,000+ per day, counted per domain, not per individual mailbox). This started in 2024 with Google and Yahoo, and as of May 2025, Microsoft (Outlook, Hotmail, Live.com) also enforces these requirements. If you don’t have DMARC, your emails may get delayed, sent to spam, or rejected.
Note: The 5,000 email per day threshold is based on the total volume sent from your domain and its subdomains, not from any single mailbox. All mailboxes, aliases, and subdomains are counted together for compliance with bulk sender requirements. Once you hit the threshold, your domain is permanently classified as a bulk sender for that provider.
Bulk Sender Threshold Table (as of May 2025):
| Provider | Threshold (per day, per domain) | Requirements |
|---|---|---|
| Gmail | 5,000+ | DMARC, SPF, DKIM, unsubscribe, low spam rate |
| Yahoo | 5,000+ | DMARC, SPF, DKIM, unsubscribe |
| Microsoft | 5,000+ | DMARC, SPF, DKIM, feedback loop, security alignment |
Footnote: As of May 2025, the 5,000 email per day threshold for bulk sender requirements is per domain (including all subdomains and mailboxes), not per individual mailbox. Once your domain sends 5,000 or more emails in a single day to Gmail, Yahoo, or Microsoft, you are permanently classified as a bulk sender for that provider and must comply with DMARC, SPF, and DKIM requirements. All mailboxes, aliases, and subdomains are counted together. For more, see the latest provider guidance and industry updates.
Why Domain Owners Need to Monitor DMARC Reports
When you set up DMARC, you will receive regular reports by email. These reports are sent to the address you specify in your DMARC record by the email providers who receive messages from your domain. For example, if someone sends an email from your domain to a Gmail user, Google will send you a DMARC report about that message.
Why you should monitor these reports:
-
Spot unauthorized or fraudulent use of your domain.
-
See which legitimate services (like newsletters, billing, or website forms) are sending mail for your domain and if they’re set up correctly.
-
Understand which messages are being blocked or allowed, and why.
-
Fix problems before they cause delivery failures for your real emails.
What Does DMARC Actually Do?
If an email fails both SPF and DKIM checks (the technical ways to prove it’s really from you), DMARC tells the email provider what to do:
-
p=none: Just report the failure, don’t block the message.
-
p=quarantine: Send the suspicious message to the spam/junk folder.
-
p=reject: Block the message completely.
Example DMARC and SPF Records
DMARC Record Example:
| Subdomain | Record Data | Suggested to Add Emails for Stat Data |
|---|---|---|
| _dmarc | v=DMARC1; p=none; (Minimum required) | v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1 |
SPF Record Example:
Kloudemail example
| Hostname | TXT |
|---|---|
| @ (or blank) | v=spf1 include:emailsrvr.com ~all |
Domain Name: Email Forwarding (enom)
| Hostname | TXT |
|---|---|
| @ | v=spf1 include:_spf.emfwd.name-services.com MX ~all |
Understanding a DMARC Record
| Tag | Value | What It Means |
|---|---|---|
| v | DMARC1 | DMARC version (always DMARC1) |
| p | none/quarantine/reject | Policy for mail failing DMARC |
| rua | mailto:[email protected] | Where to send daily summary (aggregate) reports |
| ruf | mailto:[email protected] | Where to send detailed (forensic) reports (if supported) |
| fo | 1 | Request forensic reports for any SPF or DKIM failure |
What does fo=1 mean?
The fo=1 tag in your DMARC record means you will receive a forensic (failure) report whenever either SPF or DKIM fails to align—not just when both fail. This gives you more detailed insight into any authentication issues with your domain’s email.
What DMARC Stops or Allows (p=)
| Policy Value | What Happens to Failing Mail |
|---|---|
| none | No action—just report failures, don’t block mail |
| quarantine | Send failing mail to spam/junk folder |
| reject | Block failing mail completely |
Special Note: Domains That Only Forward Email (no mailbox)
If you use your domain only for email forwarding (no mailbox, just forwarding to another address):
-
SPF almost always fails on forwarded mail, because the forwarding server isn’t in your SPF record.
-
DKIM signatures can survive forwarding, as long as the email isn’t changed in transit.
-
If you use only SPF, forwarded emails may fail DMARC and go to spam or get blocked.
-
Recommendation: Request DKIM be added if possible, and use a DMARC policy of p=none (monitor only) while you test and review reports. None should not be a permanent setting.
| Scenario | SPF Result | DKIM Result | DMARC Impact / Recommendation |
|---|---|---|---|
| Forwarding only | Almost always fails | May survive if unaltered | Use DKIM, start with p=none, monitor reports |
| Outbound with mailbox | SPF and DKIM pass if set up correctly | DKIM pass if signed | Strong authentication, safe to enforce policy |
Steps to Set Up DMARC
-
Add SPF for all valid sending and forwarding servers.
-
Enable DKIM signing for all outbound email, including forwarding if supported.
-
Publish a DMARC TXT record with p=none for monitoring.
-
Check your DMARC reports regularly to see who is sending mail as your domain and if it’s passing.
-
Only move to quarantine or reject after confirming legitimate mail is passing and only unwanted mail is failing.
Who Sends DMARC Reports and When?
-
You do not control when DMARC reports are sent.
-
Reports are sent by the email providers (like Google, Microsoft, Yahoo) who receive mail from your domain.
-
Most providers send reports once every 24 hours, but the exact timing is up to them—not you.
| Who Sends Reports? | Who Controls Timing? |
|---|---|
| Gmail (Google) | |
| Outlook.com (Microsoft) | Microsoft |
| Yahoo Mail | Yahoo |
| Other mail servers | Each organization |
How Long Can You Leave p=none in Place?
You can leave p=none in your DMARC policy for as long as you want—there is no technical expiration or enforcement deadline. However, p=none is intended only as a temporary, data-gathering mode and does not provide any real protection against phishing, spoofing, or abuse of your domain.
| Policy | How Long to Use | Purpose |
|---|---|---|
| p=none | Short-term (monitoring) | Gather data, identify/authenticate all senders |
| p=quarantine | Transitional | Divert unauthenticated mail to spam, check for issues |
| p=reject | Long-term (enforcement) | Block unauthenticated mail, maximize protection |
In summary:
You can technically leave p=none in place indefinitely, but for real security and to meet industry best practices, you should move to p=quarantine or p=reject as soon as you have finished monitoring and authenticating all legitimate senders. Remaining on p=none long-term leaves your domain unprotected against spoofing and phishing. Not recommended for long-term.
If you need more help, please contact KartHost support. Domains with email forwarding only may be asked to pay the Domain Name Concierge Service Fee as this is a manual setup.
