DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS policy that tells receiving mail servers what to do when an email fails SPF or DKIM checks. A policy of p=reject instructs receivers to block unauthenticated email claiming to come from your domain, protecting against spoofing and phishing. Without DMARC, anyone can send email that appears to originate from your domain.

An SPF (Sender Policy Framework) record is a DNS TXT record that lists the mail servers authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to verify the sending server is on the approved list. Ending your record with -all (hardfail) tells receivers to reject mail from any server not explicitly listed.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email. Your mail server signs each message with a private key, and the corresponding public key is published in your DNS as a TXT record. Receiving servers retrieve that public key to verify the signature, confirming the message was not altered in transit and genuinely originated from your domain.

MX (Mail Exchanger) records are DNS records that specify which mail servers accept incoming email for your domain. Each MX record has a priority value — lower numbers have higher priority. When someone sends you an email, their mail server queries your MX records to find where to deliver the message. Missing or misconfigured MX records will cause inbound email to bounce.

p=none is a monitoring-only DMARC policy. Emails that fail DMARC checks are still delivered as normal — nothing is blocked or quarantined. It is useful when first deploying DMARC to review aggregate reports before enforcing a stricter policy. However, p=none provides no protection against email spoofing and should be upgraded to p=quarantine or p=reject once you have confirmed all legitimate senders are passing.

Both ~all and -all apply to sending servers not listed in your SPF record. ~all (softfail) asks receiving servers to accept the message but mark it as suspicious, while -all (hardfail) instructs them to reject it outright. -all is recommended once you have identified all your legitimate sending sources, as it provides the strongest protection against spoofing. Many providers including Google use ~all during a gradual rollout phase.

BIMI (Brand Indicators for Message Identification) is a DNS standard that lets organizations display their brand logo next to authenticated emails in supporting clients like Gmail and Apple Mail. A BIMI record is published at default._bimi.<domain> and contains a URI pointing to an SVG logo file. To qualify, the domain must have a DMARC policy of p=quarantine or p=reject. For display in Gmail and Apple Mail, a Verified Mark Certificate (VMC) issued by an approved authority is also required. BIMI helps recipients visually identify legitimate email and is a strong trust signal for your domain.

RFC 7208 limits SPF evaluation to 10 DNS lookups. Each include:, a:, mx:, ptr:, and exists: mechanism counts as one lookup. Exceeding this limit causes a permanent error (permerror), which some receivers treat as a fail. If your SPF record has many include: statements from multiple sending services, you may need to flatten the record by replacing includes with their resolved IP ranges.