Check your DMARC policy — free, instantly
DMARC is now required by Google and Yahoo. Enter your domain to see your current DMARC record, policy enforcement level, and what you need to fix.
Free. No signup required. Checks DMARC, SPF, DKIM, MX, and blacklists in one scan.
What is DMARC and how does it work?
DMARC — Domain-based Message Authentication, Reporting, and Conformance — is a DNS policy that sits on top of SPF and DKIM. Where SPF says "only these servers can send email for my domain" and DKIM says "this email was cryptographically signed by my domain," DMARC answers the question that neither can alone: what should happen when an email fails those checks?
When a receiving mail server gets an email from your domain, it checks your DMARC record and learns your policy. If the email fails SPF or DKIM alignment, the server follows your instructions: deliver it anyway (none), send it to spam (quarantine), or reject it entirely (reject). You also get daily XML reports showing every server that sent email as your domain — legitimate or not.
This combination makes DMARC the most powerful anti-phishing tool available to domain owners. It is why the U.S. federal government, the UK government, and major financial institutions have all mandated DMARC enforcement across their domains.
The three DMARC policies explained
Your DMARC policy determines how aggressively failing emails are handled. Most organizations start at none and work toward reject.
What Google and Yahoo now require
In February 2024, Google and Yahoo implemented new requirements for email senders. For bulk senders (5,000+ emails/day to Gmail or Yahoo addresses), these are now mandatory:
- A valid SPF record that authorizes your sending infrastructure
- DKIM signatures with a 2048-bit key on all outbound mail
- A DMARC record with at minimum p=none — even monitor mode counts
- A one-click unsubscribe link in marketing and subscription emails
- A spam complaint rate below 0.1% (measured in Google Postmaster Tools)
Even if you send fewer than 5,000 emails per day, Google applies these signals to spam scoring for all senders. Domains without DMARC are treated as higher risk — meaning your emails are more likely to land in spam even if your content is perfect.
Why staying on p=none is dangerous
Many organizations set up DMARC with p=none, collect reports for a few weeks, then forget about it. This is one of the most common email security mistakes. With p=none, your DMARC record satisfies the technical requirement from Google and Yahoo — but it provides zero protection against impersonation.
Business email compromise (BEC) attacks cost organizations $2.9 billion in 2023, according to the FBI Internet Crime Report. In most cases, the attacker sends emails that appear to come from a company executive — often to finance teams, asking for wire transfers or gift card purchases. A DMARC policy of p=reject would block these attacks entirely. p=none lets them sail straight to the inbox.
The path from none to reject takes time, but it is well-defined. Read your rua= reports, identify every legitimate sender, make sure they pass SPF and DKIM, then raise the policy. MailScore can monitor your DMARC status daily and alert you if anything changes.
DMARC frequently asked questions
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS policy record that tells receiving mail servers what to do when an email fails SPF or DKIM authentication. A DMARC record has three parts: the policy (none, quarantine, or reject), reporting addresses where you receive aggregate and forensic reports, and alignment settings that govern how strictly SPF and DKIM results must match the From: domain. DMARC builds on top of SPF and DKIM — you need both before DMARC can be effective.
What DMARC policy should I use?
Start with p=none (monitor mode) to collect data without affecting mail flow, then graduate to p=quarantine once you are confident all legitimate sending sources pass authentication, and finally to p=reject for full protection. Staying permanently on p=none gives you no real protection — phishers can still impersonate your domain and your emails are not fully protected. Most security teams recommend reaching p=reject within 90 days of setup. Google Workspace and Microsoft 365 both publish guidance on the transition timeline.
Is DMARC required?
As of February 2024, Google and Yahoo require a DMARC record (at minimum p=none) for any domain sending more than 5,000 emails per day to Gmail or Yahoo Mail addresses. Microsoft followed with similar requirements. Even if you send fewer messages, DMARC is strongly recommended: without it, your domain is vulnerable to business email compromise (BEC) attacks where attackers impersonate your executives or invoice your customers. The National Cyber Security Centre (NCSC) and CISA both list DMARC as a baseline security control.
How long does DMARC take to set up?
The DNS record itself propagates in minutes. But the full DMARC journey — from p=none to p=reject — typically takes 4 to 12 weeks. The main work is reviewing the daily XML aggregate reports (rua= address) to identify every system that sends email as your domain: transactional email services, marketing platforms, CRMs, support tools, and any third-party senders. Each must be properly authenticated before you tighten the policy. Tools like MailScore let you track your DMARC status automatically and alert you when something changes.
Check your DMARC record now
MailScore checks DMARC alongside SPF, DKIM, MX records, and blacklists — and shows you exactly what to fix, in plain English.
Also check these related tools: