Infrastructure guide
DMARC for cold email
DMARC policies from none to reject, alignment, rua reports, and the Gmail and Yahoo requirement that made DMARC mandatory for bulk senders.
On this page
DMARC is the policy layer on top of SPF and DKIM. Those two records authenticate mail; DMARC tells receivers what to do when authentication fails, and it is the record Gmail and Yahoo now require from every bulk sender. A cold email domain without DMARC is not a borderline case anymore. It fails a hard requirement. This guide covers the record, the three policies, alignment, and reporting. For the short version with launch-day context, see the original post on DMARC for cold email.
What DMARC is
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a TXT record published at _dmarc.yourdomain.com:
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
It does two jobs. First, it publishes a policy (p=) telling receivers how to treat mail that fails both SPF and DKIM alignment. Second, it asks receivers to send you aggregate reports (rua=) about who is sending mail as your domain and whether it authenticates.
DMARC passes when at least one of SPF or DKIM passes and aligns with the visible From domain. Alignment is the part people miss.
Why it matters for a cold email launch
- Gmail and Yahoo require it. Since February 2024, senders of 5,000 or more messages a day to Gmail must publish DMARC with at least
p=none. Yahoo enforces the same. In practice the requirement is applied loosely by volume, so treat it as the floor for any outbound domain. Full details in the bulk sender requirements guide. - No DMARC means no spoofing protection. Anyone can put your client’s domain in a From header. Without a policy, receivers have nothing to enforce.
- A missing record is visible to the prospect’s mail server on the first message. There is no warmup period for DNS. The record is either there at launch or it is not.
The three policies
The p= tag takes one of three values:
p=none: monitor only. Failing mail is delivered normally, but you get reports. The correct starting point for every domain, and the minimum for the Gmail and Yahoo requirement.p=quarantine: failing mail goes to spam. Addpct=to phase it in, for examplepct=25applies the policy to a quarter of failing mail.p=reject: failing mail is refused outright. The end state for a domain whose senders are fully authenticated.
The safe path: start at p=none, read reports for 2 to 4 weeks, fix any legitimate source that fails, then move to quarantine and eventually reject. Jumping straight to reject on a domain with a misconfigured DKIM selector sends your own campaign to the void.
A sensible record for a new cold email domain:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r
And for a mature domain with verified authentication:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
Alignment
DMARC does not just ask whether SPF or DKIM passed. It asks whether the domain that passed matches the From domain your recipient sees.
- SPF alignment: the return-path domain must match the From domain.
- DKIM alignment: the
d=domain in the signature must match the From domain.
Relaxed alignment (adkim=r, aspf=r, the default) allows subdomain matches: mail.yourdomain.com aligns with yourdomain.com. Strict (s) requires an exact match. Relaxed is fine for cold email.
This is why sending-platform defaults can bite. If the platform signs DKIM with its own domain and uses its own return-path, both mechanisms pass but neither aligns, and DMARC fails. The fix is configuring your own domain for DKIM in the platform, covered in the DKIM guide.
rua reports
The rua= tag names a mailbox for aggregate reports. Receivers send XML summaries, usually daily, listing every source that sent mail as your domain and the SPF, DKIM, and DMARC results.
- The reports are XML and unpleasant to read raw. Any DMARC report viewer, including free ones, turns them into a source table.
- Point
ruaat a mailbox you actually control. Reports to a dead address are the same as no reports. - You can receive reports at a different domain, but the receiving domain must publish an authorization record to accept them.
For a cold email operation the reports answer one question: is every legitimate sender aligned and passing? Once yes holds for a few weeks, tighten the policy.
Common mistakes
- No record at all. Still the most common state on fresh sending domains. Publish
p=nonebefore the first send. - Record on the wrong host. It must live at
_dmarc.yourdomain.com, not the root. - Two DMARC records. Like SPF, more than one record invalidates the policy.
p=rejecton day one. Enforcement before verification punishes your own misconfigurations first.sp=forgotten. Subdomains inherit the root policy unlesssp=overrides it. If outbound runs on subdomains, know which policy applies to them.- Reports pointed at a mailbox nobody reads. The record satisfies checkers, but you lose the only feedback loop DMARC gives you.
FAQ
Is p=none compliant with the Gmail and Yahoo rules?
Yes. p=none satisfies the published requirement. Enforcement policies are better for spoofing protection but are not required.
Does DMARC apply to cold email domains that only send small volumes? Formally the Gmail rule targets 5,000 or more messages a day. Practically, receivers score authenticated domains better at every volume, and OutboundQA treats a missing DMARC record as Needs Fix.
How fast does a new DMARC record take effect? It is read live at delivery time, so as soon as DNS propagates. Aggregate reports start arriving within a day or two.
SPF and DKIM both pass. Can DMARC still fail? Yes, if neither passing domain aligns with the From domain. Alignment is the whole point of DMARC.
DMARC is one of 16 checks OutboundQA runs before a launch. Read a domain’s policy in plain English with the DMARC checker, or verify SPF, DKIM, and DMARC together with the auth checker.
Check it now
Run the pre-flight check on your next outbound launch
Upload the domains and inboxes, get a verdict and the exact fixes, and a report you can share.