BasicsPipelinesActions & ServicesEnvironmentsIntegrationsTargetsDomainsSelf-HostedAgents & TunnelsYAMLBuddy GitTroubleshootingAPI

DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication, policy, and reporting protocol. It is set in the domain’s DNS settings as a TXT record. It provides verification of the origin of an email by checking and validating the sender’s IP address.

Quick Start

Step 1: Add a DNS record

Add a TXT DNS record named _dmarc.your-domain.com:

default
v=DMARC1; p=none; sp=none; rua=mailto:dmarc+rua@dmarc.buddy.works; ruf=mailto:dmarc+ruf@dmarc.buddy.works;

Image loading...

Learn how to add a TXT DNS record.

Step 2: Test the emails

Send a couple of emails from your domain.

Step 3: Check reports in Buddy

Go to Domains, select the domain and navigate to its DMARC tab. The first reports will appear after 24 hours.

Alternative setup for external domains

If your domain is not pointed via NS to Buddy, you can still configure DMARC reports using the dedicated setup option:

  1. Go to Domains and select "Set up DMARC only" from the menu
  2. Enter the domain name you want to configure for DMARC reports.
  3. Copy the generated _dmarc TXT record with the provided value
  4. Add the record to your DNS provider or wherever you manage your DNS
  5. Once added, click "Record added. Proceed" to continue

Image loading...DMARC setup interface for external domains

You can verify the status by going to your domain and opening the DMARC tab - the "Current Value" section will show whether the record is active and properly configured.

Image loading...DMARC status verification showing active record

How does DMARC work?

DMARC checks whether emails actually originate from your domain and defines what to do with unverified messages. It works in three steps:

  1. Checks SPF - whether the email comes from an authorized server
  2. Checks DKIM - whether the was not modified
  3. Executes policy - to deal with unverified emails

DMARC parameters

Add a TXT DNS record named _dmarc.your-domain.com:

default
v=DMARC1; p=none; sp=none; rua=mailto:dmarc+rua@dmarc.buddy.works;
Parameter Value Description
v=DMARC1 DMARC1 Protocol version (always DMARC1)
p=none none/quarantine/reject Policy for emails that do not meet the DMARC requirements
sp=none none/quarantine/reject Policy for subdomains (by default the same as for the main domain)
rua= mailto:address Addresses for aggregate reports (daily summary reports)
ruf= mailto:address Addresses for forensic reports (detailed error reports)
fo= 0/1/d/s Forensic reporting options (0 = only when both SPF and DKIM fail, 1 = when either fails, d = when DKIM fails, s = when SPF fails)

Policy for emails that do not meet the DMARC requirements:

  • p=none - monitoring only, emails are delivered normally
  • p=quarantine - email can land in the spam folder
  • p=reject - email is bounced

Aggregate reports (RUA - Report URI for Aggregate)

These are daily aggregate reports about email sending and verification within your domain. They allow you to easily see:

  • How many messages were sent on your behalf on a given day.
  • How they passed verification — how many met the SPF/DKIM/DMARC requirements, and how many were rejected or marked as suspicious.
  • Where the emails originated — which servers and services were used to send them.

In Buddy:

default
rua=mailto:dmarc+rua@dmarc.buddy.works
Hint

Some DMARC reporters accept a maximum of 1-2 rua addresses. Additional addresses may be ignored. Therefore, we recommend using a single address. If you need more, separate them with commas, as in the example below:

default
rua=mailto:dmarc+rua@dmarc.buddy.works,mailto:your-email@domain.com;

What they include:

  • Number of emails sent from your domain
  • Results of SPF and DKIM verification
  • Sources of emails
  • Statistics on DMARC policy compliance
Hint

Optionally, you can add forensic reports. To do this, add the fo=1 and ruf= parameters to the DNS record:

default
v=DMARC1; p=none; sp=none; rua=mailto:dmarc+rua@dmarc.buddy.works; ruf=mailto:dmarc+ruf@dmarc.buddy.works;

DMARC configuration

Add a TXT DNS record named _dmarc.your-domain.com:

default
v=DMARC1; p=none; sp=none; rua=mailto:dmarc+rua@dmarc.buddy.works; ruf=mailto:dmarc+ruf@dmarc.buddy.works;

Image loading...Wygenerowany rekord DMARC do skopiowania

Hint
Before enabling DMARC, make sure that your SPF and DKIM records are correctly configured.

DMARC report analysis

To view DMARC reports, go to the Domains section from the left-hand menu, select your domain, and then open the DMARC tab.

Hint
Reports will become visible at least 24 hours after the first emails are sent from each new source.

Dashboard

On the DMARC dashboard you will find

Report filters

  • Source - filtering by source (All, Known, Unknown)
  • Messages - filtering by the message type (All, No forwards, Forwards)
  • Period - reporting period (48 hours, 7 days, 14 days, 30 days)

General statistics

  • DMARC Compliance - DMARC policy compliance status (Comply, Emails reported)
  • Aligned & Passed - verification status (SPF, DKIM)
  • Applied policy - policy used (None, Quarantined, Rejected)

Image loading...DMARC - basic configuration

Source list

Displays a list of all email sources, organized by the domains of the senders.

Image loading...DMARC - advanced configuration

By selecting a source you will see the following information:

  • IP addresses - list of servers sending out emails
  • Number of emails - number of messages from each source
  • DKIM/SPF/DMARC status - precentage of emails that passed verification from that source

Reporter list

Image loading...DMARC - reporting

By clicking on a specific source, you will see a list of reporters — organizations that send DMARC reports for your domain. Reporters are mainly:

  • Google.com
  • Microsoft.com
  • Yahoo.com
  • Apple.com
  • AOL.com
  • Zoho.com
  • AWS.com
  • ProtonMail.com
  • Tutanota.com
  • Fastmail.com

Detailed report:

Clicking on a reporter will provide you with a detailed report.

Image loading...DMARC - report

In the top-right corner, you will find the Download XML button, which allows you to download the full report in XML format. The report contains detailed information about all emails, including server IP addresses, SPF/DKIM verification results, and the domains used by email services.

General information

  • Report sender - reporters email address
  • Source - email source
  • Emails reported - number of reported emails
  • From domain - senders' domain
  • Applied policy - DMARC policy applied

SPF section

  • Return-Path - email return path
  • Return-Path & From domain - return path - sender domain comparison
  • Result - SPF verification status (pass/fail)
Warning
For emails sent through services such as Mailchimp, SendGrid, Amazon SES, Mailgun, Constant Contact, GetResponse, ActiveCampaign, HubSpot, Klaviyo, Brevo (Sendinblue), or MailerLite, the Return-Path may differ from the From domain. This is normal behavior. These services use their own domains for bounce handling. For example, when Mailchimp sends an email on behalf of your domain, the Return-Path may be mail28.atl71.mcdlv.net instead of your domain. Image loading...DMARC Mailchimp report - Return-Path vs From domain

DKIM section

There may be multiple DKIM sections (if the domain uses multiple keys):

  • Signature domain - the DKIM signature domain
  • Selector - the DKIM key selector
  • Signature Domain & From domain - comparison of the signature domain with the sender’s domain
  • Result - the DKIM verification result (pass/fail)

Last modified on Sep 12, 2025

Previous pageManage domain with YAML