Reference

What is DMARC and why it matters

A plain-English introduction to DMARC: what the standard does, how it builds on SPF and DKIM, and why it protects your domain from spoofing and phishing.

3 min readLast updated 14 June 2026
Jump to section

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email-authentication standard that lets you tell the world's mail receivers what to do with messages that claim to be from your domain but cannot prove it. It builds on two older standards, SPF and DKIM, and adds two things they lack: a published policy and reporting.

The problem DMARC solves

Email was never designed with sender verification in mind. Anyone can put you@yourdomain.com in the From: field of a message, which is exactly how phishing and brand-impersonation attacks work. SPF and DKIM each provide a way to authenticate mail, but on their own they give receivers no instruction on what to do when a message fails, and no way to tell you it happened.

DMARC closes both gaps:

  • Policy — you publish, in DNS, what receivers should do with mail that fails authentication: monitor it, send it to spam, or reject it outright.
  • Reporting — receivers send you aggregate reports showing every source sending mail as your domain, and whether it passed or failed. This is what Blankitt DMARC ingests and turns into a dashboard.

How DMARC works, briefly

  1. A receiver gets a message claiming to be from your domain.
  2. It checks SPF (is the sending IP authorised?) and DKIM (does the cryptographic signature verify?).
  3. It then checks alignment — whether the SPF or DKIM domain matches the From: domain a human sees.
  4. A message passes DMARC if it has at least one of aligned SPF or aligned DKIM. If it has neither, it fails, and your published DMARC policy decides its fate.

Crucially, DMARC only ever acts on unaligned mail. A message can pass raw SPF and DKIM yet still fail DMARC if neither is aligned to the From: domain — the single most common cause of unexpected failures (covered in its own article).

The DMARC record

DMARC lives in a DNS TXT record at _dmarc.yourdomain.com. A starting record looks like this:

_dmarc.yourdomain.com.  TXT  "v=DMARC1; p=none; rua=mailto:<token>@rua.blankitt.com"
  • v=DMARC1 — the version tag (always first).
  • p=none — the policy. none means monitor only; you collect data without affecting delivery.
  • rua= — where aggregate reports are sent. Use the unique inbound address shown in your Blankitt DMARC Settings so reports flow straight in and are ingested automatically.

Why it matters

  • Stops domain spoofing. A policy of p=reject means receivers drop mail that fails authentication, making it far harder to impersonate you.
  • Protects your brand and customers from phishing that trades on your name.
  • Improves deliverability. Many large mailbox providers now require DMARC for bulk senders.
  • Gives you visibility. Reports reveal every system sending as your domain — including forgotten or shadow-IT senders.

DMARC is purely about authentication. It has nothing to do with spam or content filtering — it only answers "is this message really from who it claims to be?"

Where to start

Follow the Getting Started checklist in the app: add your domain, publish a p=none record pointing rua= at your Blankitt inbound address, then let reports accumulate for a week or two before tightening your policy. You can also run a quick external check any time with the free DMARC checker.

Still stuck? Email support or open the support widget in the bottom-right.