DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol. It uses SPF and DKIM to determine the authenticity of an email message. DMARC tells receiving mail servers exactly what to do if an email claims to be from your domain, but fails authentication.
Check your domain for syntax errors, policy enforcement, and reporting tags.
Before DMARC, if an email failed an SPF check, the receiving server (like Outlook or Gmail) had to guess whether to reject it or deliver it anyway. DMARC removes the guesswork. You, the domain owner, publish a DMARC policy in your DNS that explicitly instructs the receiver:
A DMARC record is published as a TXT record. However, unlike SPF, it must be published on a very specific subdomain. If your domain is example.com, you must add the TXT record to the hostname _dmarc.example.com.
Only two tags are strictly required for a valid DMARC record. The v tag must be first (v=DMARC1), and the p tag must be second (e.g., p=none). All other tags (like rua, ruf, pct, sp) are optional, though adding a reporting tag (rua) is highly recommended.
These tags tell receiving servers where to send DMARC reports. rua is for Aggregate reports (daily XML summaries of email traffic). ruf is for Forensic/Failure reports (detailed, immediate reports on specific emails that failed authentication). Both require a valid URI format, like mailto:reports@yourdomain.com.
Alignment is a core concept of DMARC. For an email to pass DMARC, the domain visible in the "From" address (what the user sees) must match the domain used to authenticate SPF or DKIM. If you send via a third-party tool and they use their own bounce domain for SPF, you must ensure DKIM is aligned, otherwise DMARC will fail the email.