--- title: 'What Is DMARC and Why It Matters for Cold Email Senders' description: >- Learn what DMARC is, how it works with SPF and DKIM, and why cold email senders must configure DMARC correctly for inbox deliverability. date: '2026-04-04' lastUpdated: '2026-04-04' author: Artur Grishkevich category: Deliverability keywords: - what is DMARC - DMARC cold email - DMARC email authentication - DMARC policy - email authentication --- # What Is DMARC and Why It Matters for Cold Email Senders DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that tells receiving mail servers what to do when an email fails SPF or DKIM checks. For cold email senders, DMARC is no longer optional. Google's 2024 bulk sender requirements made DMARC mandatory, and without it, your emails are far more likely to land in spam. At Alchemail, we configure DMARC on every one of the **100+ sending domains** we manage per client. It is a foundational step in our infrastructure setup, and getting it wrong can undermine everything else you do for deliverability. ## How DMARC Works DMARC builds on two existing authentication protocols: SPF and DKIM. Here is how they work together: 1. **SPF** verifies that the sending server is authorized to send email for your domain 2. **DKIM** verifies that the email content was not altered in transit using a cryptographic signature 3. **DMARC** ties them together and tells the receiving server what to do if either check fails When an email arrives at a receiving server: 1. The server checks SPF (does the sending IP match the domain's SPF record?) 2. The server checks DKIM (does the signature match?) 3. The server checks DMARC (does the "From" domain align with SPF or DKIM? What policy does the domain owner want applied to failures?) ### DMARC Alignment This is the critical concept. DMARC requires "alignment," meaning the domain in the "From" header must match the domain checked by SPF or DKIM. **Example:** If you send from artur@outreach-acme.com, DMARC checks that: - The SPF record for outreach-acme.com authorizes the sending server, OR - The DKIM signature is signed by outreach-acme.com If neither aligns, the email fails DMARC. | Check | What It Validates | DMARC Requirement | |-------|------------------|-------------------| | SPF | Sending server authorization | Domain in return-path must align with From domain | | DKIM | Message integrity | Signing domain must align with From domain | | DMARC | Policy enforcement | At least one (SPF or DKIM) must pass AND align | ## DMARC Record Syntax A DMARC record is a DNS TXT record published at `_dmarc.yourdomain.com`. Here is the anatomy of a DMARC record: ``` v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; pct=100 ``` ### DMARC Tags Explained | Tag | Meaning | Values | Required? | |-----|---------|--------|-----------| | v | Version | DMARC1 | Yes | | p | Policy | none, quarantine, reject | Yes | | rua | Aggregate report address | mailto:email | No (but recommended) | | ruf | Forensic report address | mailto:email | No | | pct | Percentage of emails to apply policy | 1-100 | No (default 100) | | adkim | DKIM alignment mode | r (relaxed) or s (strict) | No (default r) | | aspf | SPF alignment mode | r (relaxed) or s (strict) | No (default r) | ### DMARC Policy Levels **p=none (Monitor Only)** - No enforcement. Emails that fail DMARC are delivered normally. - Use this when first setting up DMARC to collect data without affecting delivery. - You still get reports showing which emails pass and fail. **p=quarantine** - Failing emails are sent to spam/junk folder. - This is the recommended policy for cold email senders after a monitoring period. - Signals to inbox providers that you take authentication seriously. **p=reject** - Failing emails are blocked entirely. - The strictest policy. Best for preventing spoofing of your domain. - Use with caution on sending domains to ensure all legitimate emails pass authentication first. ## Setting Up DMARC for Cold Email ### Step 1: Verify SPF and DKIM First DMARC is useless without properly configured SPF and DKIM. Verify both are working: **Check SPF:** - Use MXToolbox SPF lookup for your domain - Confirm the record includes your email provider (Google or Microsoft) - Ensure there is only one SPF record per domain **Check DKIM:** - Send a test email to a Gmail account - Click "Show Original" in Gmail - Verify DKIM shows "PASS" For complete setup instructions, see our [SPF, DKIM, and DMARC technical guide](/blog/spf-dkim-dmarc-cold-email). ### Step 2: Start with p=none Add this DNS TXT record to `_dmarc.yourdomain.com`: ``` v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com ``` This starts DMARC in monitoring mode. You will receive aggregate reports showing how your emails are being authenticated. ### Step 3: Review Reports for 2-4 Weeks DMARC aggregate reports come as XML files. Use a tool to parse them: - **DMARC Analyzer** (dmarcanalyzer.com) - **Postmark DMARC** (dmarc.postmarkapp.com, free) - **EasyDMARC** (easydmarc.com) Look for: - What percentage of your emails pass DMARC - Which sending sources fail authentication - Any unauthorized senders using your domain ### Step 4: Upgrade to Quarantine Once you confirm all legitimate emails pass DMARC: ``` v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100 ``` This tells receiving servers to send unauthenticated emails to spam. It protects your domain reputation. ### Step 5: Consider Reject (Optional) For maximum protection: ``` v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100 ``` We use `p=reject` on primary business domains that should never be used for cold outreach. For sending domains, `p=quarantine` is usually the right balance. ## Why DMARC Matters Specifically for Cold Email ### Google's 2024 Bulk Sender Requirements Google now requires all senders who send 5,000+ messages per day to Gmail addresses to: 1. Set up SPF and DKIM authentication 2. **Publish a DMARC record** (minimum p=none) 3. Ensure messages pass DMARC alignment 4. Include easy unsubscribe options 5. Keep spam rates below 0.3% Without DMARC, Google will deprioritize your emails. For cold email senders, this is non-negotiable. ### Microsoft's Authentication Requirements Microsoft has also tightened requirements. While not as explicit as Google's rules, Microsoft increasingly uses DMARC status in filtering decisions. Emails without DMARC are more likely to be filtered. ### Deliverability Impact From our data at Alchemail: | DMARC Configuration | Average Inbox Placement | |---------------------|------------------------| | No DMARC | 45-60% | | p=none | 65-75% | | p=quarantine | 75-85% | | p=reject | 80-90% | **Setting up DMARC with p=quarantine improved inbox placement by 15-25 percentage points** in our testing. The effect is significant and immediate (after DNS propagation). ## Common DMARC Mistakes in Cold Email ### Mistake 1: Not Setting Up DMARC at All Many cold email senders configure SPF and DKIM but skip DMARC. This leaves a gap in your authentication chain that inbox providers penalize. ### Mistake 2: Staying on p=none Forever The monitoring phase should last 2-4 weeks, not indefinitely. Staying on p=none provides no enforcement benefit. Inbox providers want to see active DMARC policies. ### Mistake 3: Using the Wrong Alignment Mode For cold email through Google Workspace or Microsoft 365, relaxed alignment (the default) works fine. Strict alignment can cause false failures if your sending platform modifies the return-path. ### Mistake 4: Not Reading DMARC Reports DMARC reports tell you exactly what is happening with your email authentication. Ignoring them means you miss: - Failed authentication from legitimate sending sources - Unauthorized senders spoofing your domain - Configuration errors on specific domains ### Mistake 5: Multiple DMARC Records Each domain should have exactly one DMARC record at `_dmarc.domain.com`. Multiple records cause unpredictable behavior. If you need to change your DMARC policy, update the existing record. Do not add a new one. ## DMARC for Multiple Sending Domains When managing 50-100+ sending domains (as we do at Alchemail), DMARC setup must be systematic: 1. **Template your DMARC record** so every domain gets the same configuration 2. **Use a centralized reporting address** to aggregate all DMARC reports 3. **Automate DNS record creation** when setting up new domains 4. **Audit all domains quarterly** to ensure DMARC records are still active 5. **Upgrade policies in batches** rather than all at once ### DMARC Record Template for Cold Email Domains ``` v=DMARC1; p=quarantine; rua=mailto:dmarc@youragency.com; pct=100; adkim=r; aspf=r ``` This template: - Enforces quarantine policy (recommended for sending domains) - Sends reports to a centralized address - Applies to 100% of emails - Uses relaxed alignment (works with most sending platforms) ## DMARC and Email Forwarding Email forwarding can break DMARC alignment. Here is why: - When someone forwards your email, the sending IP changes - SPF fails because the forwarding server is not in your SPF record - If DKIM survives the forward (most modern systems preserve it), DMARC still passes This is why DKIM is critical alongside SPF. DKIM signatures survive forwarding; SPF does not. Make sure DKIM is always configured and passing. ## Monitoring DMARC Health ### Weekly Checks 1. Review DMARC aggregate reports for authentication failures 2. Check that all sending sources are properly authenticated 3. Verify no unauthorized senders are using your domains 4. Confirm DMARC records exist on all active sending domains ### Monthly Checks 1. Analyze DMARC report trends over time 2. Review and clean up any old or unused sending sources 3. Consider upgrading policy levels if everything is passing 4. Audit any new domains added to your infrastructure For a comprehensive monitoring framework, see our [cold email deliverability guide](/blog/cold-email-deliverability-guide). ## Frequently Asked Questions ### Do I need DMARC if I already have SPF and DKIM? Yes. SPF and DKIM authenticate individual aspects of your email, but without DMARC, there is no policy telling receiving servers what to do when authentication fails. DMARC is also explicitly required by Google for bulk senders as of 2024. All three protocols work together. ### What DMARC policy should cold email senders use? Start with `p=none` for the first 2-4 weeks to monitor authentication results. Then upgrade to `p=quarantine`, which is the sweet spot for most cold email senders. It signals legitimacy to inbox providers without the risk of `p=reject` blocking your own emails if something misconfigures. ### Will DMARC improve my cold email open rates? DMARC does not directly affect open rates, but it significantly improves inbox placement. Emails that land in the inbox get opened. Emails in spam do not. At Alchemail, we see **open rates of 40-60%** across client campaigns, and proper authentication (including DMARC) is a key factor in achieving those numbers. ### How do I read DMARC reports? Raw DMARC reports are XML files that are difficult to read manually. Use a DMARC report analyzer like Postmark's free tool, DMARC Analyzer, or EasyDMARC. These tools visualize your authentication data and highlight failures that need attention. ### Can DMARC prevent someone from spoofing my domain? With `p=reject`, receiving servers will block emails that fail DMARC authentication for your domain. This effectively prevents most email spoofing. For your primary business domain, `p=reject` is strongly recommended. For sending domains used in cold outreach, `p=quarantine` provides good protection while reducing the risk of blocking your own legitimate emails. ## Get Your DMARC and Authentication Right Proper DMARC configuration is one of the highest-impact, lowest-cost improvements you can make to your cold email deliverability. At Alchemail, we configure and monitor authentication across **100+ domains per client**, maintaining **spam rates under 0.3%** and **open rates of 40-60%**. If you want experts handling your email authentication and deliverability, **[book a call with us](https://calendly.com/alchemail-arthur)** to get started.