DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS record that builds on SPF and DKIM. It tells receiving mail servers two things: what to do if a message fails SPF or DKIM checks (accept, quarantine, or reject), and where to send authentication reports. A typical record looks like v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com;.

Since early 2024, Google and Yahoo require a published DMARC record for any sender emailing more than 5,000 messages per day to their users. In practice, every serious B2B outbound team now runs DMARC on every sending domain, because inbox providers treat a missing DMARC record as a red flag even below that volume threshold. If you are running cold email without DMARC in 2026, you are paying a deliverability tax you do not need to pay.

Teams usually roll DMARC out in three phases. Start at p=none, which only monitors and reports without affecting delivery — this lets you see which legitimate services are sending on your behalf before you lock anything down. Then move to p=quarantine, which tells receivers to route failing mail to spam. Finally, p=reject tells receivers to drop failing mail outright. Most outbound teams live at p=quarantine because p=reject will kill legitimate traffic if anything in the setup is misconfigured.

When the term matters

DMARC is foundational deliverability infrastructure. Any new cold outbound domain should have DMARC published before the first email goes out. Any existing domain without it is quietly losing inbox placement at Google and Yahoo. Reviewing DMARC reports (the rua address) is also the single best way to see which services are impersonating your domain and which legitimate tools need to be added to SPF/DKIM.

Related concepts

DMARC is the enforcement layer on top of SPF and DKIM. Getting it right is a prerequisite for email warmup to actually improve domain reputation.