Field notes · Deliverability

DMARC in 2026: from p=none to p=reject without breaking your mail.

Most domains now have a DMARC record. Far fewer are protected, because they stopped at the monitoring policy and never enforced. Here is what every tag does, how the none-to-reject journey is done without blocking your own mail, and a generator to build your record as you read.

Published 9 June 2026 · Argus Root deliverability practice · ~24 min read

Audit your authentication Build your record →

DMARC is the email authentication standard that ties SPF and DKIM to the domain your recipients see, tells receiving servers what to do with mail that fails, and reports back on everything sent in your name. It is defined by RFC 7489, and a message passes it when either SPF or DKIM passes and aligns with the From domain. Its power is in the policy tag: p=none watches, p=quarantine sends failures to spam, and p=reject blocks them outright. The hard part is not publishing the record; it is the journey from none to reject, which means discovering every service that sends as your domain, fixing each one's authentication, and tightening the policy in stages so you never block your own invoices and password resets. Done carelessly it breaks legitimate mail; done patiently it stops spoofing and strengthens the reputation that decides whether you reach the inbox at all.

What DMARC closes that SPF and DKIM leave open.

SPF and DKIM each authenticate something, but neither one, on its own, protects the address your recipient reads. DMARC is the layer that does.

SPF checks that a message came from a server the domain authorises to send for it. DKIM checks that a message carries a valid cryptographic signature from a domain. Both are useful, and both share a blind spot: neither requires the domain they authenticate to be the domain shown in the From header that a human sees. An attacker can pass SPF on their own throwaway domain, or sign with DKIM for a domain they control, while writing your brand into the visible From line, and basic authentication checks would not object. DMARC closes that loophole with alignment, the requirement that the domain authenticated by SPF or DKIM match the domain in the From header. Add a policy on top, and the receiver now knows both that the mail is authenticated and that it is authenticated for the domain it claims to be from.

The reason this matters more every year is that spoofing is where the money is. The FBI's 2026 reporting added AI-enabled cybercrime as its own category, with thousands of complaints and hundreds of millions in losses from AI-generated phishing, voice cloning and deepfakes, and email remains the primary gateway for these attacks. A domain sitting at no enforcement is a domain anyone can wear, and the cost of moving to enforcement is a fraction of the cost of a single successful business-email-compromise fraud carried out in your name. DMARC is the control that takes your domain off the table as something an attacker can freely impersonate.

How DMARC decides, and why alignment is the whole game.

The pass-or-fail logic is simpler than it looks, and understanding it tells you exactly where rollouts go wrong.

A message passes DMARC when either SPF or DKIM passes and aligns with the From domain. The word that does the work is aligns. SPF alignment means the domain SPF authenticated matches the From domain; DKIM alignment means the domain in the DKIM signature matches it. Per RFC 7489, your policy is applied only when both SPF alignment and DKIM alignment fail, so a single aligned pass is enough to succeed. That asymmetry shapes the practical advice: you do not need both to align, you need at least one to align reliably for every legitimate sender, and DKIM alignment is usually the more dependable to lean on because a DKIM signature survives forwarding while SPF often does not.

Alignment comes in two modes. Relaxed, the default, lets a subdomain match the organisational domain, so a message signed by mail.example.com aligns with a From of example.com; strict demands an exact match. Relaxed is the right choice for almost everyone and is set with aspf=r and adkim=r, the defaults you rarely touch. Strict alignment exists for organisations with a specific reason to require exact-domain authentication, and choosing it without that reason is a common way to make legitimate mail fail for no benefit. The rollout work, then, is mostly the work of getting one aligned pass for every real sender, which is why the aggregate reports that show you alignment per source are the centre of the whole exercise.

What DMARC does not protect you from.

DMARC is powerful within a precise boundary, and mistaking that boundary for a wider one leaves gaps people assume are covered.

DMARC protects the exact domain in your From header. It does nothing about lookalike or cousin domains, the addresses an attacker registers to resemble yours, examples like exampl3.com or example-support.com, because those are different domains that pass their own authentication honestly. A message from a cousin domain is not spoofing your domain; it is impersonating your brand from somewhere you have no authority, and stopping it needs brand monitoring, takedowns and recipient awareness rather than a DNS record. DMARC also does not encrypt mail, does not inspect content for phishing language or malicious links, and does not vouch for the trustworthiness of a sender it authenticates; a spammer can publish a perfectly valid DMARC record for their own domain. Its single job is to make sure that mail claiming to be from your domain genuinely is, and it does that one job well, but reading it as a general anti-phishing or anti-fraud system is how organisations end up surprised by an attack it was never designed to stop. Pair it with the other controls rather than expecting it to be all of them.

Anatomy of a DMARC record, tag by tag.

The record is a single DNS TXT entry at _dmarc.yourdomain.com, made of semicolon-separated tags. Most are optional; two are not.

Every DMARC record begins with v=DMARC1 and carries a p= policy; those two are required and the rest tune behaviour. The rua tag names where aggregate reports are sent and is the one optional tag you should always include, because without it you get a policy and no visibility. The remaining tags handle reporting detail, subdomains, alignment mode and gradual rollout. A minimal monitoring record reads v=DMARC1; p=none; rua=mailto:[email protected], and a mature enforcement record might read v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s. The generator below assembles a correct record from your choices, but it helps to know what each tag means before you publish one.

DMARC tags

DMARC record tags and what each one does.
Tag	Meaning	Typical value
v	Version (required, first)	DMARC1
p	Policy for the domain (required)	none / quarantine / reject
rua	Where aggregate reports go	mailto:[email protected]
ruf	Where forensic reports go (rarely supported)	mailto:[email protected]
pct	Percent of failing mail the policy applies to	10 → 100 (ramp)
sp	Policy for subdomains	reject (keep covered)
adkim / aspf	DKIM / SPF alignment mode	r (relaxed) default
fo	Forensic reporting options	1 (report any fail)

Build your DMARC record.

Set your choices and copy the record. Publish it as a TXT record at the host shown, then read your aggregate reports before tightening the policy.

Your domain Policy (p) Report address (rua) Apply to % (pct) Subdomain policy (sp) Alignment

Publish as TXT at _dmarc.example.com Record value

A correct record is the easy part. The work is reading the aggregate reports that arrive at your rua address and fixing every legitimate sender before you raise the policy. Start at p=none, stay at least 90 days, then ramp.

The none-to-reject journey, done safely.

The policy values are not three options to choose between; they are three stages of one journey, and the order and pace are what keep your mail flowing.

You start at p=none with a rua address and nothing else, and you stay there for at least 90 days. This is the audit phase, not the destination: no mail is affected, and every receiving provider sends you reports showing who is sending as your domain. You use that time to build a complete map of your legitimate senders, fix each one's SPF or DKIM so it aligns, and document the result. Only when your reports show consistent alignment for every authorised source, ideally above the 98% of legitimate traffic that practitioners treat as the threshold, do you move on. Moving sooner means enforcing against mail you have not finished identifying, which is how organisations block their own systems.

The move to quarantine is done with the pct tag rather than all at once. A careful ramp runs pct=10 for two weeks, then 25, 50, 75 and finally 100, with a review of aggregate reports at each step, and organisations that ramp this way see far fewer delivery disruptions than those that jump straight to full enforcement. That ramp takes roughly 90 to 120 days. Reject comes last, after a stretch at quarantine with clean reports, and turns failing mail from a spam-folder problem into a hard block. The full journey from none to reject typically takes nine to eighteen months, and the time is not wasted caution; it is the difference between enforcement that stops attackers and enforcement that stops your own invoices.

enforcement ramp · a safe schedule

A safe DMARC enforcement ramp.
Stage	Duration	Goal
p=none	90+ days	Map and fix every sender
quarantine, pct ramp	90–120 days	10 → 25 → 50 → 75 → 100
p=reject	ongoing	Full protection

Reading aggregate reports without drowning.

Aggregate reports are the instrument panel of a DMARC rollout. They arrive as XML, and the trick is a simple sorting discipline rather than reading raw markup.

Every provider that receives mail claiming to be from your domain sends an aggregate report to your rua address, summarising the source IPs, the volumes, and whether each passed SPF, DKIM and alignment. The way to use them is to sort every sending source into three buckets. Known and passing are your healthy senders; keep a documented list of them. Known but failing are usually legitimate services that are misconfigured, a platform that needs an SPF include added or DKIM signing enabled, and these are your fix list. Unknown senders deserve scrutiny: some are harmless noise from forwarders and scanners, and some are genuine abuse of your domain that DMARC is now showing you for the first time. At this stage DMARC stops being a DNS task and becomes an operational one, often needing input from marketing, sales, support and engineering, because the senders you have to account for live across all of them.

The raw XML is readable but tedious at scale, which is why reporting platforms exist to turn it into dashboards of senders, pass rates and alignment issues. A platform makes the work faster, but it does not change the discipline: classify every source, fix the legitimate ones, investigate the unknowns, and do not tighten the policy until the picture is clean. Forensic reports, requested with the ruf tag, are a different and lesser tool, sample copies of individual failing messages that help with debugging but are supported by few providers and carry privacy weight because they can include personal data. Most decisions come from aggregate reports; treat forensic reports as an occasional diagnostic rather than a routine feed.

Subdomains, and the gap attackers like.

Spoofers do not always target your main domain. The subdomains you never send from are an easy, often-forgotten door.

The sp tag sets a policy for subdomains separately from the main p tag. If you omit it, subdomains inherit the main policy, so a domain at p=reject protects its subdomains by default. The risk appears when an organisation runs a relaxed main policy for operational reasons but leaves unused subdomains wide open, because an attacker can spoof billing.example.com or news.example.com just as convincingly as the root, and recipients rarely scrutinise the subdomain. The safe default is to make sure subdomains are covered at least as strictly as the main domain, setting sp=reject explicitly if your main policy is looser, and to publish a restrictive record on subdomains you do not use at all. Closing the subdomain gap costs one tag and removes a class of impersonation that a main-domain-only policy leaves open.

Parked domains, and DMARC at portfolio scale.

The domains most likely to be spoofed are often the ones nobody is watching, and organisations that hold many domains face the same journey multiplied.

A domain you own but never send mail from is a gift to a spoofer, because no one is monitoring it and recipients have no baseline to judge against. The fix is direct: publish a strict record straight away, v=DMARC1; p=reject; rua=mailto:[email protected], on every parked or non-sending domain, since there is no legitimate mail to break and nothing to ramp. A non-sending domain can go to reject on day one, which is the rare case where jumping straight to enforcement is correct. Pair it with an SPF record that authorises no senders and a null DKIM posture, and the domain announces that it sends nothing and anything claiming otherwise should be rejected. Brands routinely protect their primary domain and forget the dozen defensive registrations sitting unprotected beside it.

For organisations holding many active domains, an agency, a group with multiple brands, an MSP managing client domains, the journey is the same per domain but the management is the challenge. Each domain has its own senders, its own reports and its own pace toward reject, and treating them as one undifferentiated batch is how a missed sender on one domain becomes a blocked invoice. The workable approach is a per-domain inventory and ramp, a consistent reporting address or platform that separates results by domain, and a documented sending map for each. The discipline does not change with scale; the bookkeeping does, and the organisations that reach reject across a portfolio are the ones that tracked each domain's senders rather than hoping a single policy fit them all.

The mistakes that cause rollbacks.

Most DMARC failures are not exotic. They are a short list of recurring problems, and knowing them in advance is most of the protection against them.

Jumping straight to reject is the classic, blocking legitimate senders you never knew existed. Staying at p=none forever is the opposite failure, common and quieter, publishing a record for compliance and never gaining protection. The SPF ten-lookup limit catches growing senders: route mail through enough third-party services and your SPF record breaches the cap, SPF fails, and that cascades into DMARC failures for legitimate mail, which is fixed by auditing and flattening the SPF record to stay within the limit. Forwarding and mailing lists break alignment, because forwarding defeats SPF and lists modify messages in ways that break DKIM signatures, and the answer is to recognise those flows in your reports and lean on ARC, which preserves authentication results across a hop. The common thread is that all of these are visible in aggregate reports before they become a crisis, and all are recoverable without an emergency if you ramp with the pct tag and drop back a step when a legitimate sender starts failing rather than pushing through.

The SPF ten-lookup limit, the quiet DMARC killer.

One specific SPF constraint causes more DMARC failures for legitimate mail than any other single cause, and it tends to appear exactly when a business is growing.

SPF evaluation is capped at ten DNS lookups, a limit built into the standard to stop a single check from triggering an unbounded chain of queries. Each include in your SPF record, every third-party service you authorise, a marketing platform, a help desk, an invoicing tool, a CRM, consumes part of that budget, and several of them nest further lookups inside their own includes. Add enough senders and the record silently exceeds ten lookups, at which point SPF returns a permanent error rather than a pass. Because DMARC needs an aligned SPF or DKIM pass, a broken SPF record removes one of the two ways legitimate mail can succeed, and any sender that was relying on SPF alignment rather than DKIM starts failing DMARC. The failure is invisible until you read the reports, and it grows naturally as a company adds tools, which is why a rollout that was clean six months ago can drift into trouble.

The fix is to audit the SPF record, count the lookups, and flatten it, replacing nested includes with the resolved IP ranges so the record stays within the limit, or moving senders to DKIM alignment where it is more dependable anyway. Tools exist to flatten and monitor SPF automatically, but the principle is to treat the ten-lookup budget as a resource you actively manage rather than discover you have overspent. This single constraint is worth checking first whenever previously-passing mail starts failing DMARC, because it is both the most common cause and the easiest to overlook in a record that looks correct line by line.

The 2026 reality: records everywhere, protection rarely.

The headline adoption numbers look encouraging and hide a gap that is the whole point of this guide.

By 2026 hundreds of thousands of domains carry a DMARC record, with one industry count putting it near 938,000, yet only around 9% of them are protected, meaning at an enforcing policy of quarantine or reject. More than half of top domains still have no DMARC at all, and among those that do, roughly 68% remain parked at p=none. The reporting picture is similarly partial: the number of domains publishing an rua tag has grown substantially year over year, but a large share of DMARC-enabled domains still collect no feedback at all, which means they have a policy they cannot safely tighten because they cannot see what tightening would break. The pattern is consistent: publishing the record is treated as the finish line, when it is the starting line.

The reason the gap persists is that the record takes minutes and the journey takes months, and the months are where the value is. A domain at p=none is visible to its owner and wide open to attackers; only enforcement closes the door. The encouraging reading of the 2026 data is that the cost of crossing from a record to real protection is small relative to the cost of a single fraud committed in your name, and the discouraging reading is how many organisations stop one DNS change short of the protection they think they already have. The point of treating p=none as an audit phase with a deadline, rather than a permanent state, is to be in the 9% that is protected rather than the majority that merely watches.

Reaching reject is not the end of the work.

Arriving at p=reject is the milestone, but a domain at reject still drifts if nobody watches it, and the things that change are exactly the things that quietly reintroduce failures.

Your sending estate is not static. Marketing adopts a new platform, a department signs up for a tool that sends on the company's behalf, a vendor changes the infrastructure it mails from, and any of these can appear as a new, unaligned source after you have reached reject, which now means its mail is blocked rather than merely flagged. The aggregate reports that mapped your senders during the rollout are the same instrument that catches these new arrivals, so reading them does not stop when you reach enforcement; it becomes the ongoing hygiene that keeps reject from blocking a legitimate sender nobody told you about. A monthly review of new source IPs in your reports is enough for most organisations, and it is far cheaper than the fire drill of a blocked launch.

Two operational habits keep a domain healthy at reject. Rotate DKIM keys on a sensible schedule and confirm the new keys are published and aligned before the old ones retire, since a botched rotation breaks DKIM and removes one of the two paths to a DMARC pass. And keep the SPF record inside its lookup budget as you add and remove senders over time, because the ten-lookup ceiling is breached by accumulation, not by a single change. Treated this way, DMARC at reject is a stable, low-effort control; treated as set-and-forget, it is a control that works until the day a change you did not track turns enforcement against your own mail. Build a short runbook for it: who reads the monthly report, what triggers adding a sender to SPF or DKIM, and how a key rotation is staged and verified before the old key is removed. A page of process turns a control that depends on one person remembering into one the organisation can sustain, which is what keeps a domain at reject for years rather than for a single attentive quarter.

Running it yourself, and where it connects.

DMARC is one of the places where owning your infrastructure pays off, because the reports that drive every decision are yours to ingest and keep.

Aggregate reports are standard XML sent to whatever address your rua tag names, which means a self-hosted parser can ingest, aggregate and visualise them without handing the data to a third-party platform. That matters beyond cost: the reports reveal every service that sends as your domain, which is a map of your operations that you may not want to share outside your own infrastructure, and keeping the parsing in-house keeps that map private. On a stack you control, the same discipline that runs SPF and DKIM correctly extends naturally into DMARC: align every sender, watch the reports, ramp with the pct tag, and reach reject on a schedule the reports justify rather than a date on a calendar. The trade-off is that you build and maintain the ingestion and the dashboards; the benefit is full control and no outside service holding your sending map. For a multi-brand operator or an agency running many client domains, that control compounds: the same in-house parser handles every domain, separates results cleanly, and never exposes one client's sending map to a platform shared with others, which is the kind of separation that matters when the domains belong to distinct businesses that should not be visible to each other.

DMARC also does not stand alone. It is the enforcement layer over the SPF and DKIM that the bulk sender requirements demand, it is a prerequisite for the brand-logo display of BIMI, and a domain at reject is one whose reputation a provider can trust is genuinely yours, which feeds the inbox placement that warming a sender and honouring unsubscribes also protect. That is the lens we bring, because we run sending infrastructure and read these reports rather than only advise on them, and getting to reject without breaking mail is exactly the kind of careful, months-long work that rewards someone watching it closely. Where it helps to have the authentication built, the reports read, and the ramp run by people who do it for a living, that is the work our deliverability audit and wider email infrastructure practice exist to do.

Questions senders are asking in 2026.

What does DMARC do?

DMARC tells receiving mail servers what to do with a message that claims to come from your domain but fails authentication, and it asks them to send you reports on what they see. It builds on SPF and DKIM by adding alignment, a check that the authenticated domain matches the domain your recipients see in the From line. Without that match, an attacker could pass SPF on their own domain while spoofing yours in the From address; DMARC closes that gap and gives you a policy to enforce.

What are the three DMARC policies?

p=none monitors only, taking no action but sending you reports; p=quarantine routes failing mail to spam; p=reject blocks it at the SMTP level so the recipient never sees it. The policy is the enforcement tag: without moving past none, you have visibility into spoofing but no protection from it. The whole point of DMARC is to progress, carefully, from none through quarantine to reject.

When does a message pass DMARC?

When either SPF or DKIM passes and aligns with the From domain. Per RFC 7489, the policy only applies when both SPF alignment and DKIM alignment fail, so a single aligned pass is enough for the message to succeed. This is why getting at least one of SPF or DKIM aligned for every legitimate sender is the real work of a DMARC rollout, and why DKIM alignment is usually the more reliable one to rely on, since it survives forwarding better than SPF.

What is alignment, and what is the difference between relaxed and strict?

Alignment is the requirement that the domain authenticated by SPF or DKIM matches the domain in the From header. Relaxed alignment, the default and the right choice for most, allows a subdomain to match the organisational domain, so mail.example.com aligns with example.com. Strict alignment requires an exact match. Relaxed is set with aspf=r and adkim=r and rarely needs changing; strict is for organisations with a specific reason to demand exact-domain authentication.

How long does it take to get from p=none to p=reject?

Typically nine to eighteen months for an organisation of any size, done properly. You spend at least 90 days at p=none identifying and fixing every legitimate sender, then ramp through quarantine using the pct tag over roughly 90 to 120 days, then move to reject once aggregate reports show clean, consistent alignment. The timeline is driven by how many sending services you have and how cleanly they authenticate, not by impatience, and rushing it is the most common cause of blocking your own mail.

Can I just publish p=reject straight away?

You can, and you almost certainly should not. Jumping straight to reject blocks every legitimate sender you did not know about, and most organisations are surprised by how many services send on their behalf, from CRMs to invoicing tools to support desks. The safe path is to start at p=none with reporting, discover your real sending map from the reports, fix authentication for each source, and only then enforce. The cost of patience is a few months; the cost of haste is blocked invoices and password resets.

What does the pct tag do?

It tells receivers to apply your policy to only a percentage of failing mail, which lets you ramp enforcement gradually instead of switching it on for everyone at once. A common ramp is pct=10 for two weeks, then 25, 50, 75 and finally 100, watching aggregate reports at each step. Organisations that ramp by percentage see far fewer delivery disruptions than those that jump to full enforcement, because each step exposes any missed sender before it affects much of your mail.

What are aggregate reports and forensic reports?

Aggregate reports, requested with the rua tag, are XML summaries every receiving provider sends back showing which sources sent mail as your domain and whether they passed SPF, DKIM and alignment. They are the heart of a DMARC rollout. Forensic or failure reports, requested with ruf, are sample copies of individual failing messages, useful for debugging but supported by few providers and sensitive because they can contain personal data. Most of your decisions come from aggregate reports; forensic reports are an occasional diagnostic.

How do I read aggregate reports without drowning in XML?

Sort every sending source into three buckets. Known and passing are your healthy senders; document them. Known but failing are usually misconfigured legitimate services that need an SPF include added or DKIM signing enabled. Unknown senders deserve scrutiny, since some are harmless noise and some are abuse. A reporting platform that turns the raw XML into dashboards makes this far easier, but the three-bucket discipline is the same whether you read the XML by hand or through a tool.

What is the sp tag for?

The sp tag sets a separate policy for subdomains, overriding the main p tag for them. It matters because attackers often spoof subdomains you do not actively use, so a domain at p=reject with no sp tag still inherits reject for subdomains, but if you set a looser main policy you should set sp=reject explicitly to keep unused subdomains protected. For most organisations, ensuring subdomains are covered at least as strictly as the main domain is the safe default.

Why do forwarded emails and mailing lists fail DMARC?

Forwarding often breaks SPF, because the forwarding server becomes the sender and is not in your SPF record, and mailing lists frequently modify the message in ways that break the DKIM signature. When both break, the message fails DMARC even though it is legitimate. The standard answer is ARC, which preserves the original authentication results across a hop, and recognising these flows in your aggregate reports so you do not tighten policy in a way that blocks a legitimate mailing list.

Do I need SPF and DKIM before DMARC?

Yes. DMARC validates against SPF and DKIM, so without at least one of them deployed and active, your DMARC record has nothing to check and will report failures for everything. Set up SPF and DKIM first, let them run for a couple of days, then publish DMARC at p=none. Trying to add DMARC to a domain with no working authentication underneath produces noise, not protection.

What is the most common reason a DMARC rollout stalls or rolls back?

Two reasons dominate. The first is the SPF ten-lookup limit: route mail through enough third-party services and your SPF record exceeds the DNS lookup cap, SPF fails, and that cascades into DMARC failures for legitimate mail. The second is moving to enforcement before every legitimate sender is aligned, so a missed service suddenly gets quarantined or rejected. Both are caught by reading aggregate reports patiently before tightening, and both are fixed without an emergency if you ramp with the pct tag.

How does DMARC relate to BIMI and to deliverability generally?

BIMI, which displays your brand logo in supporting inboxes, requires DMARC at quarantine or reject as a prerequisite, so reaching enforcement enables that as a side benefit. More broadly, a domain at p=reject is one a mailbox provider can trust is not being spoofed, which supports the reputation that decides inbox placement. DMARC is both an anti-spoofing control and a deliverability signal, which is why the bulk-sender requirements treat it as foundational.

Is p=none enough to be compliant?

It satisfies the letter of requirements that only ask for a DMARC record, which is why so many domains publish p=none and stop. But p=none provides zero protection against spoofing; it only watches. Attackers can still impersonate your domain freely, and the reports simply tell you it is happening. Treating p=none as the destination rather than the audit phase is the single most common way DMARC is implemented without delivering the protection it exists to provide.

Can I run DMARC reporting myself instead of using a vendor?

Yes. Aggregate reports are standard XML sent to whatever address your rua tag specifies, so a self-hosted parser can ingest, aggregate and visualise them without a third-party platform, which also keeps the reporting data, and the sending patterns it reveals, inside your own infrastructure. The trade-off is that you build and maintain the parsing and the dashboards yourself; the benefit is full control and no sharing of who sends mail on your behalf with an outside service.

What should I do with domains I own but never send email from?

Publish a strict record on them immediately. A non-sending or parked domain has no legitimate mail to break, so you can set v=DMARC1; p=reject; rua=mailto:[email protected] on day one, the rare case where jumping straight to reject is correct. Pair it with an SPF record that authorises no senders. Unprotected parked and defensive domains are a favourite target precisely because nobody is watching them, so protecting them costs nothing and closes an easy door.

Does DMARC stop lookalike or cousin domains?

No. DMARC protects the exact domain in your From header, so it does nothing about an attacker who registers a similar domain like example-support.com and sends honestly authenticated mail from it. Those are different domains impersonating your brand from outside your authority, and stopping them needs brand monitoring, takedowns and recipient awareness rather than a DNS record. DMARC stops people wearing your domain; it cannot stop people dressing up as something near it.

Deliverability audit

A record is minutes. Protection is the journey.

We map every service sending as your domain, fix the authentication so each one aligns, read the aggregate reports, and ramp you from p=none to p=reject on a schedule the data justifies, without blocking the mail your business runs on. The destination is a domain attackers cannot wear and providers can trust.

Book a deliverability audit More field notes →

One aligned pass per sender Ramp, never jump Reach reject, stay there