Does DMARC work without SPF or DKIM?

No. DMARC requires either SPF or DKIM (or both) to pass and align with the From domain. If you publish a DMARC record but have no SPF or DKIM records, every message will fail DMARC authentication. Set up SPF and DKIM before publishing your DMARC record.

Speak to an Email Deliverability Consultant FOR FREE

Book a Call

Pricing

Try for Free

Free DMARC Generator

Q: What is a DMARC record?

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that tells receiving mail servers how to handle messages failing SPF or DKIM authentication. DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It protects your domain from being used in phishing attacks and email spoofing.

Q: Can I have multiple DMARC records for one domain?

No. DNS allows only one DMARC record per domain (published at _dmarc). Publishing multiple DMARC records causes authentication failures. If you need different policies for subdomains, use the sp= tag in your main DMARC record or publish separate DMARC records at _dmarc.subdomain.yourdomain.com.

Q: What are aggregate and forensic DMARC reports?

Aggregate reports (rua=) provide daily summaries of authentication results — which IP addresses sent email, how many passed/failed SPF and DKIM, and what percentage was delivered. Forensic reports (ruf=) send individual failure notifications with message headers for debugging. Most organizations use aggregate reports only because forensic reports can contain sensitive data.

Q: What are examples of common DMARC records?

Monitor mode (starting out): v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com — Quarantine unauthorized email: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=50 — Full enforcement: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; aspf=s; adkim=s

Q: How strict should my DMARC policy be?

Start with p=none and monitor aggregate reports for 2-4 weeks to identify all legitimate sending sources. Move to p=quarantine with pct=10 (applying the policy to 10% of messages) and gradually increase to pct=100 over several weeks. Switch to p=reject only after you're confident no legitimate email will be blocked. Rushing to p=reject without proper monitoring can break critical email flows.

Q: What is DMARC alignment, and why does it matter?

DMARC alignment means the domain in the From header matches the domain authenticated by SPF or DKIM. Relaxed alignment (adkim=r, aspf=r) allows subdomains to pass (email from mail.yourdomain.com passes for yourdomain.com). Strict alignment (adkim=s, aspf=s) requires exact domain matches. Use relaxed alignment unless you need maximum security — strict alignment can break legitimate email from subdomains or third-party services.

Q: How do I check if my DMARC record is working?

Use a DMARC validation tool to verify that your record is published correctly with no syntax errors. Wait 24-48 hours after publishing, then check the email address in your rua= tag for aggregate reports from major mailbox providers (Google, Microsoft, Yahoo). Reports confirm that receiving servers are reading your DMARC policy and processing authentication results.

Generate Your DMARC Record in Under 60 Seconds

Our free DMARC generator creates valid, error-free DMARC records that tell receiving mail servers how to handle authentication failures, without any technical knowledge.

Let's secure your domain!
Enter the domain to set up DMARC records

Trusted by 1000+ companies

How to Publish Your Generated DKIM in DNS

Publishing a DMARC record means creating a TXT record at _dmarc.yourdomain.com in your domain's DNS zone. Most domain registrars and DNS hosting providers (GoDaddy, Cloudflare, Route 53, Namecheap) have a DNS management console where you add records manually.

Step 1: Log in to your DNS provider

Access your domain registrar or DNS hosting control panel. Look for "DNS Management," "Zone Editor," or "Advanced DNS."

Step 2: Navigate to your domain's DNS zone

Find the domain you're configuring DMARC for. Select it to open the record editor.

Step 3: Create a new TXT record

Choose "Add Record" or "Create Record." Set the record type to TXT.

Step 4: Set the hostname to _dmarc

Enter _dmarc as the hostname (some providers require _dmarc.yourdomain.com). Never leave this field blank — DMARC records must be published at the _dmarc subdomain.

Step 5: Paste your generated DMARC record

Copy the DMARC record from EmailWarmup.com's generator and paste it into the "Value" or "TXT Content" field.

Step 6: Set TTL (Time to Live)

Use the default TTL (usually 3600 seconds / 1 hour) or set a custom value. Lower TTL values propagate changes faster but increase DNS query load.

Step 7: Save changes

Click "Save," "Add Record," or "Publish" to commit the DMARC record to DNS.

Step 8: Verify your DMARC record

Wait 10-30 minutes for DNS propagation. Use a free DMARC checker to confirm the record is published correctly and contains no syntax errors.

DMARC Tags That Control Authentication Policy

A DMARC record starts with v=DMARC1 and uses tags to define policy, reporting, and alignment. Each tag controls how receiving mail servers handle messages that fail SPF or DKIM authentication.

Tag	What it Does	Syntax Example	Required
v	Protocol version (always DKIM1)	v=DKIM1	Yes
p	Policy for authentication failures	p=none p=quarantine p=reject	Yes
rua	Email address for aggregate reports	rua=mailto:dmarc@yourdomain.com	No
ruf	Email address for forensic reports	ruf=mailto:forensic@yourdomain.com	No
sp	Policy for subdomains (inherits p if not set)	sp=quarantine	No
adkim	DKIM alignment mode (r=relaxed, s=strict)	adkim=r	No
aspf	SPF alignment mode (r=relaxed, s=strict)	aspf=r	No
pct	Percentage of messages to apply policy to	pct=50	No
fo	When to generate forensic reports	fo=1 (0, 1, d, s)	No
rf	Format for forensic reports	rf=afrf	No
ri	Reporting interval in seconds	ri=86400	No

DMARC Policy Enforcement Levels

DMARC policies tell receiving mail servers what to do when a message fails SPF and DKIM authentication or alignment checks.

Policy	Name	What It Means	When to Use
p=none	Monitor	Accept all messages, but send reports	Starting DMARC deployment — monitor email sources without blocking anything
p=quarantine	Soft Fail	Mark suspicious messages as spam	After identifying legitimate sources — catch unauthorized senders without risking delivery
p=reject	Hard Fail	Reject messages outright	Full enforcement — block all unauthorized email and prevent domain spoofing

DMARC Won't Fix a Broken Authentication Setup

Your DMARC record only works if SPF and DKIM are configured correctly — without both passing and aligning with your From domain, DMARC authentication fails and your emails land in spam. At EmailWarmup.com, you can talk to an email deliverability consultant for free and let our team:

Audit your complete SPF, DKIM, and DMARC configuration

Identify sending sources causing DMARC failures

Fix authentication errors killing your inbox rate

Remove you from email blacklists

Book your time today and make sure your email authentication is 100% bulletproof — so your emails land in the inbox instead of spam or promotions.

Frequently asked questions
about our FREE DMARC Generator

Here’s everything you need to know about our DMARC Generator:

What is a DMARC record?

Can I have multiple DMARC records for one domain?

What are aggregate and forensic DMARC reports?

What are examples of common DMARC records?

How strict should my DMARC policy be?

What is DMARC alignment, and why does it matter?

How do I check if my DMARC record is working?