Get a Pipeline Audit
Blog
Deliverability April 4, 2026 10 min read

What Is DMARC and Why It Matters for Cold Email Senders

Learn what DMARC is, how it works with SPF and DKIM, and why cold email senders must configure DMARC correctly for inbox deliverability.

What Is DMARC and Why It Matters for Cold Email Senders

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that tells receiving mail servers what to do when an email fails SPF or DKIM checks. For cold email senders, DMARC is no longer optional. Google's 2024 bulk sender requirements made DMARC mandatory, and without it, your emails are far more likely to land in spam.

At Alchemail, we configure DMARC on every one of the 100+ sending domains we manage per client. It is a foundational step in our infrastructure setup, and getting it wrong can undermine everything else you do for deliverability.

How DMARC Works

DMARC builds on two existing authentication protocols: SPF and DKIM. Here is how they work together:

  1. SPF verifies that the sending server is authorized to send email for your domain
  2. DKIM verifies that the email content was not altered in transit using a cryptographic signature
  3. DMARC ties them together and tells the receiving server what to do if either check fails

When an email arrives at a receiving server:

  1. The server checks SPF (does the sending IP match the domain's SPF record?)
  2. The server checks DKIM (does the signature match?)
  3. The server checks DMARC (does the "From" domain align with SPF or DKIM? What policy does the domain owner want applied to failures?)

DMARC Alignment

This is the critical concept. DMARC requires "alignment," meaning the domain in the "From" header must match the domain checked by SPF or DKIM.

Example: If you send from artur@outreach-acme.com, DMARC checks that:

  • The SPF record for outreach-acme.com authorizes the sending server, OR
  • The DKIM signature is signed by outreach-acme.com

If neither aligns, the email fails DMARC.

Check What It Validates DMARC Requirement
SPF Sending server authorization Domain in return-path must align with From domain
DKIM Message integrity Signing domain must align with From domain
DMARC Policy enforcement At least one (SPF or DKIM) must pass AND align

DMARC Record Syntax

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. Here is the anatomy of a DMARC record:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; pct=100

DMARC Tags Explained

Tag Meaning Values Required?
v Version DMARC1 Yes
p Policy none, quarantine, reject Yes
rua Aggregate report address mailto:email No (but recommended)
ruf Forensic report address mailto:email No
pct Percentage of emails to apply policy 1-100 No (default 100)
adkim DKIM alignment mode r (relaxed) or s (strict) No (default r)
aspf SPF alignment mode r (relaxed) or s (strict) No (default r)

DMARC Policy Levels

p=none (Monitor Only)

  • No enforcement. Emails that fail DMARC are delivered normally.
  • Use this when first setting up DMARC to collect data without affecting delivery.
  • You still get reports showing which emails pass and fail.

p=quarantine

  • Failing emails are sent to spam/junk folder.
  • This is the recommended policy for cold email senders after a monitoring period.
  • Signals to inbox providers that you take authentication seriously.

p=reject

  • Failing emails are blocked entirely.
  • The strictest policy. Best for preventing spoofing of your domain.
  • Use with caution on sending domains to ensure all legitimate emails pass authentication first.

Setting Up DMARC for Cold Email

Step 1: Verify SPF and DKIM First

DMARC is useless without properly configured SPF and DKIM. Verify both are working:

Check SPF:

  • Use MXToolbox SPF lookup for your domain
  • Confirm the record includes your email provider (Google or Microsoft)
  • Ensure there is only one SPF record per domain

Check DKIM:

  • Send a test email to a Gmail account
  • Click "Show Original" in Gmail
  • Verify DKIM shows "PASS"

For complete setup instructions, see our SPF, DKIM, and DMARC technical guide.

Step 2: Start with p=none

Add this DNS TXT record to _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

This starts DMARC in monitoring mode. You will receive aggregate reports showing how your emails are being authenticated.

Step 3: Review Reports for 2-4 Weeks

DMARC aggregate reports come as XML files. Use a tool to parse them:

  • DMARC Analyzer (dmarcanalyzer.com)
  • Postmark DMARC (dmarc.postmarkapp.com, free)
  • EasyDMARC (easydmarc.com)

Look for:

  • What percentage of your emails pass DMARC
  • Which sending sources fail authentication
  • Any unauthorized senders using your domain

Step 4: Upgrade to Quarantine

Once you confirm all legitimate emails pass DMARC:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100

This tells receiving servers to send unauthenticated emails to spam. It protects your domain reputation.

Step 5: Consider Reject (Optional)

For maximum protection:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100

We use p=reject on primary business domains that should never be used for cold outreach. For sending domains, p=quarantine is usually the right balance.

Why DMARC Matters Specifically for Cold Email

Google's 2024 Bulk Sender Requirements

Google now requires all senders who send 5,000+ messages per day to Gmail addresses to:

  1. Set up SPF and DKIM authentication
  2. Publish a DMARC record (minimum p=none)
  3. Ensure messages pass DMARC alignment
  4. Include easy unsubscribe options
  5. Keep spam rates below 0.3%

Without DMARC, Google will deprioritize your emails. For cold email senders, this is non-negotiable.

Microsoft's Authentication Requirements

Microsoft has also tightened requirements. While not as explicit as Google's rules, Microsoft increasingly uses DMARC status in filtering decisions. Emails without DMARC are more likely to be filtered.

Deliverability Impact

From our data at Alchemail:

DMARC Configuration Average Inbox Placement
No DMARC 45-60%
p=none 65-75%
p=quarantine 75-85%
p=reject 80-90%

Setting up DMARC with p=quarantine improved inbox placement by 15-25 percentage points in our testing. The effect is significant and immediate (after DNS propagation).

Common DMARC Mistakes in Cold Email

Mistake 1: Not Setting Up DMARC at All

Many cold email senders configure SPF and DKIM but skip DMARC. This leaves a gap in your authentication chain that inbox providers penalize.

Mistake 2: Staying on p=none Forever

The monitoring phase should last 2-4 weeks, not indefinitely. Staying on p=none provides no enforcement benefit. Inbox providers want to see active DMARC policies.

Mistake 3: Using the Wrong Alignment Mode

For cold email through Google Workspace or Microsoft 365, relaxed alignment (the default) works fine. Strict alignment can cause false failures if your sending platform modifies the return-path.

Mistake 4: Not Reading DMARC Reports

DMARC reports tell you exactly what is happening with your email authentication. Ignoring them means you miss:

  • Failed authentication from legitimate sending sources
  • Unauthorized senders spoofing your domain
  • Configuration errors on specific domains

Mistake 5: Multiple DMARC Records

Each domain should have exactly one DMARC record at _dmarc.domain.com. Multiple records cause unpredictable behavior. If you need to change your DMARC policy, update the existing record. Do not add a new one.

DMARC for Multiple Sending Domains

When managing 50-100+ sending domains (as we do at Alchemail), DMARC setup must be systematic:

  1. Template your DMARC record so every domain gets the same configuration
  2. Use a centralized reporting address to aggregate all DMARC reports
  3. Automate DNS record creation when setting up new domains
  4. Audit all domains quarterly to ensure DMARC records are still active
  5. Upgrade policies in batches rather than all at once

DMARC Record Template for Cold Email Domains

v=DMARC1; p=quarantine; rua=mailto:dmarc@youragency.com; pct=100; adkim=r; aspf=r

This template:

  • Enforces quarantine policy (recommended for sending domains)
  • Sends reports to a centralized address
  • Applies to 100% of emails
  • Uses relaxed alignment (works with most sending platforms)

DMARC and Email Forwarding

Email forwarding can break DMARC alignment. Here is why:

  • When someone forwards your email, the sending IP changes
  • SPF fails because the forwarding server is not in your SPF record
  • If DKIM survives the forward (most modern systems preserve it), DMARC still passes

This is why DKIM is critical alongside SPF. DKIM signatures survive forwarding; SPF does not. Make sure DKIM is always configured and passing.

Monitoring DMARC Health

Weekly Checks

  1. Review DMARC aggregate reports for authentication failures
  2. Check that all sending sources are properly authenticated
  3. Verify no unauthorized senders are using your domains
  4. Confirm DMARC records exist on all active sending domains

Monthly Checks

  1. Analyze DMARC report trends over time
  2. Review and clean up any old or unused sending sources
  3. Consider upgrading policy levels if everything is passing
  4. Audit any new domains added to your infrastructure

For a comprehensive monitoring framework, see our cold email deliverability guide.

Frequently Asked Questions

Do I need DMARC if I already have SPF and DKIM?

Yes. SPF and DKIM authenticate individual aspects of your email, but without DMARC, there is no policy telling receiving servers what to do when authentication fails. DMARC is also explicitly required by Google for bulk senders as of 2024. All three protocols work together.

What DMARC policy should cold email senders use?

Start with p=none for the first 2-4 weeks to monitor authentication results. Then upgrade to p=quarantine, which is the sweet spot for most cold email senders. It signals legitimacy to inbox providers without the risk of p=reject blocking your own emails if something misconfigures.

Will DMARC improve my cold email open rates?

DMARC does not directly affect open rates, but it significantly improves inbox placement. Emails that land in the inbox get opened. Emails in spam do not. At Alchemail, we see open rates of 40-60% across client campaigns, and proper authentication (including DMARC) is a key factor in achieving those numbers.

How do I read DMARC reports?

Raw DMARC reports are XML files that are difficult to read manually. Use a DMARC report analyzer like Postmark's free tool, DMARC Analyzer, or EasyDMARC. These tools visualize your authentication data and highlight failures that need attention.

Can DMARC prevent someone from spoofing my domain?

With p=reject, receiving servers will block emails that fail DMARC authentication for your domain. This effectively prevents most email spoofing. For your primary business domain, p=reject is strongly recommended. For sending domains used in cold outreach, p=quarantine provides good protection while reducing the risk of blocking your own legitimate emails.

Get Your DMARC and Authentication Right

Proper DMARC configuration is one of the highest-impact, lowest-cost improvements you can make to your cold email deliverability. At Alchemail, we configure and monitor authentication across 100+ domains per client, maintaining spam rates under 0.3% and open rates of 40-60%.

If you want experts handling your email authentication and deliverability, book a call with us to get started.

Free Tool

Don't know your TAM? Find out in 5 minutes.

Score your ICP clarity, estimate your total addressable market, and get 20 real target accounts — free.

Estimate Your TAM & ICP →

Ready to scale?

Get your free pipeline audit

A call with Artur. We'll size your TAM, audit your outbound, and give you a realistic meeting forecast.

Book Your Audit

Related Articles

Deliverability How to Protect Your Primary Domain When Sending Cold Email Learn how to protect your primary business domain reputation when running cold email campaigns. Secondary domain strategy and best practices. Deliverability Inbox Placement Testing: How to Check Where Your Emails Land Learn how to test inbox placement for cold email campaigns. Tools, methods, and benchmarks to check if your emails land in inbox or spam. Deliverability IP Reputation in Cold Email: What It Is and How to Manage It Understand IP reputation for cold email. Learn how IP address reputation affects deliverability and how to manage it on shared and dedicated IPs.
Artur Grishkevich Founder, Alchemail. Running cold email campaigns since 2016. $55M+ pipeline generated for clients in 2025.
PreviousWhat Is Go-To-Market Strategy? A Practical Guide for B2B Companies NextWhat Is Cold Email? A Complete Guide for B2B Companies