Back to Blog

How does DMARC be Affective?

In order to comprehend how DMARC works, you should be conscious that it requires either an SPF or DKIM record, probably both. When an email becomes available, the receiving server performs a DNS (Domain Name System) lookup to see if there is an existing DMARC record.

How does DMARC be Affective?
5/21/2025

DKIM/SPF is carried out as regular levels.

The receiving server then provides a referred to "DMARC alignment test" to determine whether:


  • In the case of SPF, the "envelope from" email address found in the email's secret technical header matches the "return-path" address. In other words, it determines whether the email address from which the message was sent matches the address to which a prospective reply should be sent.
  • In the case of DKIM, the value of the "d" tag (email sender's domain) corresponds to the domain from which the email was sent.


And certainly, if either authentication is configured, both alignment tests are undertaken. The alignment requirements can be "strict" (the domains must exactly match) or "relaxed" (the base domains have to correspond, but alternative subdomains are permitted).


DMARC will work in the following scenarios:

  • If only one of the authentications is configured, its check must be successful, as well as an alignment test.
  • If both authentications are configured, one of them must pass the appropriate alignment test, but both are not necessary.

Consider how DMARC will continue to function even if, for example, DKIM and its alignment fail while SPF and its alignment succeed.


DMARC enables you to inform the incoming server on what should happen to emails that fail authentication. These policies can also be modified. For instance, with a "quarantine" policy, you may instruct the email server to send only 10% of emails with failed checks to the spam folder while ignoring ("none") the remaining 90%.


It is important to note that simply instructing the server on what to do does not guarantee that it will completely follow your recommendations. Still, it gives you considerably more control than DKIM and SPF authentications. Subsequently a receiving server will transmit reports for each failed DMARC verification, including aggregated statistics on unsuccessful checks. This is crucial for measuring the effectiveness of your message and keeping you informed of any phishing schemes that occur.


DMARC failure? Here's what this signifies and how to address it

Struggling with a DMARC failure? Learn what it means when DMARC fails and how to take practical actions to resolve the issue and ensure your emails reach their destination.

Knowing why DMARC fails is critical for protecting your domain from phishing and spoofing attacks and maintaining good email delivery rates. DMARC authorization, an email assurance accepted norm, collaborates with SPF (Sender Policy Framework) and DKIM to validate the legitimacy of emails received from your domain.


Three key DMARC myths contradicted:


DMARC is only set for security purposes

Which is somewhat accurate. DMARC is intended to combat email spoofing and phishing attempts. However, DMARC is more than just that. DMARC enforcement procedures and comprehensive reporting features greatly enhance lawful mail delivery. They help to establish and strengthen brand trust and analytics. Thus, DMARC can significantly increase any marketing strategy.


DMARC is restricted for domains that deliver email. 

NO. Even if your domain does not send emails, it can still be impersonated.


Setting the DMARC policy to "zero" as suffices for email security. 

Wrong. Setting the DMARC policy to "none" is usually the first step in ensuring proper DMARC reporting and delivery, but it does not increase security or protect your domain from being impersonated. To get the most out of DMARC security and marketing enhancement, you'll need to utilize the policy of (at least) p=quarantine or (better still) p=reject at a pct=100.

Furthermore, if you decide to keep up with the times and use BIMI as the current brand authentication approach, you must set your DMARC record to the "reject" policy in order to be eligible for BIMI certification.


How to Fix DMARC Failures

  1. Make a list of all the email sending providers you use to send messages from your email domain name. This could involve.
  2. Email Service Providers (ESP) or Email Newsletter Platforms such as Mail chimp, Sub stack, or numerous marketing clouds.
  3. Customer Relationship Management (CRM) Platforms such as Unsightly CRM, Sales force, and Hub Spot.
  4. Business email platforms for 1:1 email, such as Microsoft 365 and Google Workspace.


If you're a Valimail subscriber, our Precision Sender Intelligence feature can help you correctly identify these email providers and others, allowing you to effortlessly map out your whole email sending universe. After you've identified each of your email sending platforms, evaluate their guidelines and documentation on how to correctly install DKIM and SPF email authentication.


For DKIM, practically every email send platform allows you to "configure a custom domain" or "enable email authentication" to allow you to sign messages using your domain, ensuring that the DKIM signature domain "aligns" (matches) the visible from domain in your emails. DKIM "alignment" is always a great practice and almost usually required to pass DMARC checks correctly, preventing unexpected email rejections.


Only few send platforms will let you to adjust the "return-path" domain for SPF in order to achieve full "alignment" of the SPF domain with your visible from domain. Make sure you read their documentation and follow their instructions. And if they advise you to focus just on DKIM, that's often acceptable.


Frequently Asked Questions


1. Why use DMARC? Does DMARC mitigate spoofing?

Yes, it does. When DMARC is configured in reject mode, it stops all spoofing emails from reaching the inbox.


2. Who uses DMARC? Could you please give me a list of companies who use DMARC?

Most (if not all) email service providers support DMARC, the industry's de facto email authentication standard. Google, Microsoft, Amazon, LinkedIn, and a number of other companies embrace DMARC.


3. Is DMARC for small and medium-sized companies (SMBs) or huge enterprises?

DMARC is required for any organization that cares about email deliverability, security, and brand reputation, large or small.


4. Is DMARC hard to implement? 

Not at all. You can create a DMARC record using our free online DMARC record generator, publish it in the DNS in 5 minutes, and begin receiving aggregate reports after a day or two. That will provide you with some insight into your domain's email streams, and you can then proceed to install the DMARC quarantine reject options.

Table of Contents

Blog
Continue reading
blog image

DMARC pct Tag: what it is, Why you need it

Percentage is what the pct tag in a DMARC (Domain-based Message Authentication, Reporting, and Conformance) record stands for, and it helps you apply your DMARC policies slowly.

blog image

DMARC Alignment: Why It's Important and How to achieve It

Email remains one of the most potential commercial communication tools, but it is also one of the most commonly misused by cybercriminals. From phishing to spoofing, attackers use bogus emails to trick users and harm brands. This is where Domain-based Message Authentication, Reporting, and Conformance (DMARC) come in. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a powerful email authentication as standard that protects your inbox from phishing and spoofing assaults. However, it is not a one-size-fits-all solution; to realize its full potential, a specialized strategy is required. However, for DMARC to function properly, one key component must be in place.

blog image

Create MTA-STS and TLS reporting for better email security

Enable MTA Strict Transport Security (MTA-STS) for your domain to improve Gmail security. By requiring encryption and authentication tests for emails sent to your domain, MTA-STS enhances Gmail security. To learn more about external server connections to your domain, use Transport Layer Security (TLS) reporting.

Secure Your Emails Today Take the First Step!
DMARCLYTICSDMARCLYTICS

Tools

Aggregate ReportEmail Spam TestingSPF CheckerDKIM CheckerDMARC Checker

Company

About UsData Center LocationFeaturesKnowledge Base

Support

Privacy PolicyTerm of ServiceContact UsCareer
©2025 All Rights Reserved