LogoSimply SendDOCS
    GuideDomain VerificationDMARC

    DMARC Policy

    DMARC (Domain-based Message Authentication, Reporting, and Conformance) provides the final layer of protection for yourdomain.com.

    Overview

    DMARC is an email authentication policy that operates on top of SPF and DKIM. It allows domain owners to define how receiving email servers (like Gmail or Microsoft) should handle incoming emails that fail SPF or DKIM checks.

    Why It's Needed

    DMARC prevents phishing and domain spoofing. By publishing a DMARC policy, you block unauthorized senders from sending emails using your domain identity. It also provides alignment verification, ensuring that the domain shown in the "From" header matches the domains validated by SPF and DKIM.

    Prerequisites

    Before publishing or enforcing a DMARC record, you must ensure that both SPF and DKIM are fully verified. If you deploy a strict DMARC policy before verifying SPF and DKIM, legitimate emails from your domain will fail authentication checks and be discarded or sent to spam folders.

    Step 1: Retrieve Your DMARC Policy

    Log in to Simply Send, go to the Domains page, select your domain, and navigate to the DNS Records page. Under the Email Authentication section, you will find your pre-generated DMARC policy.

    Step 2: DNS Record Specifications

    Add the following TXT record to your registrar's DNS configuration panel:

    Record TypeHost / NameValue / ContentTTLVerification Status
    TXT_dmarc.yourdomain.comv=DMARC1; p=reject;Auto / 1 hourMandatory

    Step 3: Configuration Guide & Critical Considerations

    Understanding Policy Levels (`p=`)

    The DMARC record specifies how receiving mail servers handle emails claiming to be from your domain that fail SPF/DKIM verification. Three main policy options exist:

    p=none

    Monitor only. Emails are delivered normally, but you receive aggregate reports detailing which servers are sending mail on your domain's behalf.

    p=quarantine

    Soft fail. Emails failing SPF/DKIM verification checks are routed straight to the recipient's spam/junk folders instead of the inbox.

    p=reject

    Hard fail. Emails failing authentication are completely blocked at the server level, never reaching the recipient's mailbox.

    Why does Simply Send recommend p=reject?

    The generated policy defaults to p=reject to guarantee maximum protection against spoofing. However, because this tells receiving mail servers to discard any emails that fail SPF/DKIM validation, you must ensure that your SPF and DKIM configurations have no spelling mistakes, omitted records, or formatting errors.

    Example DMARC TXT Record Value:

    v=DMARC1; p=reject;

    Step 4: Verify and Activate

    Wait for Propagation

    DNS TXT updates can take from 15 minutes to 24 hours to replicate globally across DNS caching servers.

    Enable in Console

    Once the record propagates, click "Verify" in your Simply Send dashboard to finalize and enforce your DMARC status.

    Next Step: Configure Custom MAIL FROM (MX Records)

    With SPF, DKIM, and DMARC configured, set up MX records to handle delivery feedback and align your domain return paths.

    Configure MX Records