The major mailbox providers now require bulk senders to authenticate their mail with SPF, DKIM, and DMARC. If you send marketing or transactional email to Gmail, Outlook/Microsoft, or Yahoo recipients, you need a published DMARC record on your sending domain or your messages will be rejected or filtered. This article explains what DMARC is, what the current requirements are, and how to add a DMARC record to your domain.
About DMARC and why providers require it
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication standard that builds on SPF and DKIM. It tells receiving mail servers how to handle messages that claim to come from your domain but fail authentication, and it gives you a way to receive reports on attempted abuse.
Mailbox providers use DMARC to fight spoofing, phishing, and spam. Sending from a domain with DMARC in place improves your inbox placement because it signals that you follow established email standards.
Current enforcement at a glance
| Provider | Enforcement date | Applies to |
|---|---|---|
| Google (Gmail) | February 2024 | Bulk senders, 5,000+ messages/day to Gmail. |
| Yahoo | February 2024 | Bulk senders to Yahoo addresses. |
| Microsoft (Outlook/Hotmail) | May 5, 2025 | Bulk senders, 5,000+ messages/day to Microsoft addresses. |
Note: Even if you do not currently meet a bulk threshold, you should still publish SPF, DKIM, and DMARC. Authenticated mail consistently lands in the inbox more often, and the providers expect this baseline for all senders.
What you need to pass DMARC
For your messages to pass DMARC, all three of the following must be true:
- Your messages pass SPF. The Return-Path domain, also called the bounce domain, envelope-from, or MailFrom, must match a domain whose SPF record authorizes the sending server.
- Your messages pass DKIM. The message is signed by a key matching the domain's DKIM record.
- A DMARC TXT record is published for your domain. At minimum a policy of p=none is required to start.
Required DNS records
DMARC record
| Field | Value |
|---|---|
| Host / subdomain | _dmarc |
| Minimum record | v=DMARC1; p=none; |
| Recommended record (with reporting) | v=DMARC1; p=none; rua=mailto:username@example.tld; ruf=mailto:username@example.tld; fo=1; |
SPF record (Hosted Email)
| Field | Value |
|---|---|
| Host / subdomain | Root domain, often @ |
| Record | v=spf1 include:_spf.exacthosting.com ~all |
Note: You also need a DKIM record for your domain. The DKIM selector and value are generated for you; contact Exact Hosting Support if you need help generating or testing DKIM.
Understanding the DMARC tags
| Tag | Example value | What it does |
|---|---|---|
| v | DMARC1 | The DMARC version. Always DMARC1. An incorrect tag causes the entire record to be ignored. |
| p | none | The policy applied to messages that fail DMARC. Valid values: none, quarantine, or reject. Start with none to collect data without affecting delivery. |
| rua | mailto:dmarc-reports@example.tld | The address to send aggregate XML reports to. Reviews show who is sending mail as your domain. |
| ruf | mailto:dmarc-reports@example.tld | The address to send forensic, per-failure reports to. |
| fo | 1 | Reporting options. 1 generates a report whenever any underlying check, SPF or DKIM, fails. |
Tip: Start with p=none and review the aggregate reports for at least a few weeks before tightening the policy to p=quarantine or p=reject. This lets you find any legitimate senders you missed before they start getting blocked.
Step 1: Open DNS Management for your domain
- Sign in to the Exact Hosting portal.
- Click Domains.
- Click Active next to the domain you want to update.
- Under Manage, choose DNS Management.
Step 2: Add the DMARC and SPF records
Add both records to the zone. Replace username@example.tld with the address where you want DMARC reports delivered.
| Host name | Record value |
|---|---|
| _dmarc | v=DMARC1; p=none; rua=mailto:username@example.tld; ruf=mailto:username@example.tld; fo=1; |
| Root domain (@) | v=spf1 include:_spf.exacthosting.com ~all |
Click Save changes to publish.
Note: DNS changes can take up to 24 hours to propagate. You can verify the published record with the Dmarcian DMARC Inspector.
Step 3: Review reports and tighten your policy
Once aggregate reports are arriving at the address you configured, review them regularly. Look for any legitimate senders that are failing SPF or DKIM and fix them. When you are confident every legitimate sender passes, tighten the policy:
- p=quarantine sends failing messages to the spam folder.
- p=reject blocks failing messages outright. This is the strongest protection.
Further reading
- Yahoo: An Update on Enforcing Email Standards
- Google: New Gmail protections for a safer, less spammy inbox
- Microsoft: Strengthening the email ecosystem: Outlook's new requirements for high-volume senders
- Dmarcian: Understanding Gmail and Yahoo DMARC Requirements
- DMARC Record Checker
Next steps
- Verify your SPF record. See Setting Up SPF Records for Exact Hosting Email.
- Improve your inbox placement. See Exact Hosting Email Deliverability Best Practices.
- Reduce content-based spam scores. See Reducing Spam Scores When Sending Email.
Questions? Contact Exact Hosting Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.