Skip to main content
← Back to Docs

DMARC FAQ

Frequently asked questions about DMARC

DMARC FAQ

General Questions

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that prevents email spoofing. It works with SPF and DKIM to protect your domain.

Why do I need DMARC?

  • Prevents attackers from sending emails pretending to be from your domain
  • Protects your brand reputation
  • Reduces phishing and email fraud
  • Builds trust with customers

How does DMARC work?

  1. You publish a DMARC record in your DNS
  2. Email receivers check if emails match your policy
  3. They verify SPF and DKIM authentication
  4. They either deliver, quarantine, or reject based on results
  5. They send reports back about what happened

Is DMARC required?

No, but it’s highly recommended. Many organizations are moving towards DMARC enforcement for security.

Technical Questions

Do I need SPF and DKIM for DMARC?

Yes. DMARC requires at least one of SPF or DKIM to work properly. Ideally, both are configured.

What’s the difference between SPF, DKIM, and DMARC?

  • SPF - Verifies the email server is authorized
  • DKIM - Digitally signs the email message
  • DMARC - Policy that says what to do if SPF/DKIM fail

Can I use DMARC without SPF?

Technically yes, but it’s not recommended. You need both for maximum protection.

What’s “alignment”?

Alignment means the domain in the email “From” header matches the domain used for authentication (SPF/DKIM).

  • Strict - Must match exactly
  • Relaxed - Subdomains allowed

How many DMARC records can I have?

Only one per domain. If you create multiple, only the first is used.

Can I have different policies for subdomains?

Yes! You can set up separate DMARC records for subdomains like mail.yourdomain.com.

Reporting Questions

How often do I get reports?

Weekly on Monday mornings by default. You can adjust frequency in your DMARC Nerd settings.

What information is in the reports?

  • Email volume
  • Authentication results (pass/fail)
  • Policy actions taken
  • Sending IP addresses
  • Dates and times of activity

What are forensic reports?

Forensic reports contain detailed information about failed emails, including the full message headers. Useful for investigating issues.

How long are reports kept?

DMARC Nerd keeps 30 days of data by default. Extended retention (up to 1 year) is available with add-ons.

Implementation Questions

How do I implement DMARC?

  1. Create account at DMARC Nerd
  2. Add your domain
  3. Copy the DNS record
  4. Add it to your DNS provider
  5. Start receiving reports

See Getting Started for detailed steps.

How long does it take to implement?

5-15 minutes to add the DNS record. Reports start coming in immediately (aggregated Monday morning).

What DMARC policy should I start with?

Start with p=none to monitor without affecting email delivery. After 1-2 weeks, move to p=quarantine. After another 1-2 weeks, move to p=reject.

Should I use p=reject?

Only after thoroughly testing and ensuring all legitimate senders pass authentication. Moving to reject too quickly can cause mail delivery issues.

What if legitimate emails are being rejected?

  1. Check your DMARC reports
  2. Identify the failing senders
  3. Add their servers to your SPF record
  4. Or enable DKIM for their service
  5. Test again before moving to stricter policies

Troubleshooting

I’m not receiving reports

  • Check that your email address is correct
  • Verify DNS record is properly configured
  • Wait up to 48 hours for first report
  • Check spam folder
  • Contact support

My reports show 0% pass rate

  • SPF/DKIM may not be configured
  • Set up SPF record listing authorized servers
  • Enable DKIM with your email provider
  • Wait 1-2 weeks for data to accumulate

Legitimate emails are failing

  • Identify the sender in your reports
  • Add their server to SPF record
  • Or configure DKIM for their service
  • Test with a sample email first
  • May take 24 hours for DNS changes

I see suspicious sending IPs

  • This could indicate spoofing attempts
  • Review the headers to identify senders
  • Add additional senders to SPF if legitimate
  • Consider moving to p=reject for protection
  • Contact us if unsure

Best Practices

Getting Started

  1. Start with p=none policy
  2. Monitor for 1-2 weeks
  3. Review reports for issues
  4. Fix authentication problems
  5. Move to stricter policy

Ongoing

  • Review reports weekly
  • Look for unauthorized senders
  • Keep SPF/DKIM updated
  • Inform your team about email changes
  • Monitor for spoofing attempts

Policy Progression

Week 1-2:   p=none          (monitoring)
Week 3-4:   p=quarantine    (testing)
Week 5+:    p=reject        (enforcement)

More Questions?

If you can’t find the answer here, contact our support team!

← Back to Documentation