Is your DMARC policy strict enough to actually block spoofed email from your domain?
Checks that your DMARC DNS policy is set to quarantine or reject, not merely monitoring.
What this signal tests
DMARC is a small public record attached to your domain name in DNS at the location _dmarc.yourdomain.com. It tells receiving email servers what to do with messages that claim to come from your domain but fail SPF or DKIM authentication. We confirm that your DMARC policy exists and is set to either p=quarantine (with pct=100) or p=reject. A policy of p=none is treated as a fail because it only monitors abuse rather than stopping it.
Why it matters for your visibility in AI
An enforcing DMARC policy is the single clearest signal that your domain is actively defended against impersonation. Gmail, Apple, and Yahoo all require enforced DMARC for high-volume senders and increasingly favour it for smaller ones. BIMI, the standard that displays your brand logo next to your emails in supported inboxes, is only available once DMARC reaches enforcement. The reputation databases that feed these inbox filters also feed AI retrieval and brand-trust scoring. The consequence of staying at p=none is that AI systems treat your domain as unverified or possibly impersonated. They may still cite you, but you are not collecting the visible trust uplift that enforcing senders enjoy. Worse, attackers know which domains run permissive DMARC and target them with phishing campaigns precisely because the lack of enforcement makes those campaigns more deliverable.
Pass criteria at a glance
| Criterion | Passes when |
|---|---|
| p=reject OR (p=quarantine AND pct=100). |
How we test it
We query DNS for the TXT record at _dmarc.yourdomain.com. We parse the record to find the v=DMARC1 prefix, then read the p= directive and any pct= value. We treat p=reject as a pass and p=quarantine with pct=100 as a pass. Any other value, including p=none, p=quarantine with a low percentage, or a missing record, is treated as a fail. The check is a single DNS lookup.
Show technical detection method
DNS TXT at _dmarc.{domain}; parse v=DMARC1; read p= and pct=.
If your site fails: how to fix it
- If you do not yet have any DMARC record, do not jump straight to p=reject. Start by publishing v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com at _dmarc.yourdomain.com so you can collect aggregate reports without blocking any mail.
- Read the rua reports for two to four weeks using a tool like Dmarcian, Postmark, Valimail, or Easydmarc. Identify every legitimate sender and confirm SPF and DKIM align for each.
- Once reports are clean, raise the policy to p=quarantine with pct=100, which will start sending unaligned mail to spam. Watch reports for another week to catch any newly broken sender.
- Once you are confident, change p=quarantine to p=reject, which causes receivers to drop unauthenticated mail entirely. Keep the rua= report address so you continue to see attack attempts.
- Coordinate with your domain registrar's DNS console and any third-party email sender (Mailchimp, Resend, your CRM) to keep SPF includes and DKIM keys in sync. A missed sender is the most common cause of a DMARC rollback.
- Re-run the AI Ready Test scan after each change to confirm the policy is being read as enforcing.
Quick facts
| Maturity | ESTABLISHED |
|---|---|
| Weight | high |
| Category | Trust & Provenance |
Primary sources
Related signals
Frequently asked questions
Will I need IT help to fix this?
For the DNS edit itself, usually no. For the staged rollout, you may want help interpreting the aggregate reports. Several free and paid services parse the reports into readable dashboards, which removes most of the need for in-house expertise.
What if my email is hosted by Google Workspace or Microsoft 365 - is this already done for me?
No. Both providers support DMARC fully but do not publish your DMARC record for you. You must add the TXT record to your DNS yourself. They will, however, sign outbound mail with DKIM and align SPF correctly once you configure those, which makes reaching enforcement much easier.
Will moving to p=reject block legitimate mail?
Only if you skip the staged rollout. With p=none first, then p=quarantine, then p=reject, you have several weeks of visibility into every sender before any mail is blocked. Almost every reported DMARC outage traces back to skipping the report-review step.
How long until the change propagates?
DNS publication takes minutes. Receiving servers pick up the new policy on their next lookup, which is typically within the hour. The longer timeline is the rollout itself - plan four to eight weeks from p=none to p=reject for a domain with several senders.
Run your own scan
Run a free scan and see how your site grades across all 155 AI-readiness signals.