Cold email glossary
DMARC
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that tells receiving servers how to handle messages that fail SPF or DKIM alignment checks. It also sends the domain owner reports showing who is sending mail using its domain.
What is dmarc?
DMARC builds on SPF and DKIM by adding the one check neither performs alone: alignment. A message passes DMARC only if the domain in the visible From header matches the domain that passed SPF (the envelope sender) or the domain that signed it with DKIM (the d= tag). This is what connects authentication to the address a human actually sees, which is why DMARC is the standard defense against spoofing of your domain.
The policy lives in a TXT record at _dmarc.yourdomain.com. Its p= tag tells receivers what to do with failing mail: p=none asks them to deliver normally but report, p=quarantine asks them to send it to spam, and p=reject asks them to refuse it. A pct tag can apply quarantine or reject to only a fraction of failing mail during rollout, and an sp tag sets a separate policy for subdomains.
The reporting half is what makes DMARC operationally useful. The rua tag names an address that receives aggregate reports from mailbox providers, showing every source sending as your domain and whether each passed authentication. Domain owners typically start at p=none, use the reports to find legitimate services that need SPF or DKIM fixed, then step up to quarantine and finally reject.
DMARC has also moved from best practice to requirement. Google and Yahoo's published bulk sender guidance requires senders of roughly 5,000 or more messages a day to their users to publish a DMARC record (at minimum p=none) with an aligned From domain, alongside one-click unsubscribe and a spam complaint rate kept under their 0.3% threshold. An enforcing policy of quarantine or reject is also a prerequisite for BIMI, the standard that displays a verified logo next to your messages.
Why it matters in cold email
For cold email, DMARC matters twice. On your sending domains, a published record with proper alignment is part of looking like a legitimate, accountable sender to Gmail and Outlook, and for higher volumes it is simply required. On your primary company domain, an enforcing DMARC policy protects the brand itself: without one, anyone can put your domain in a From header, and a phishing campaign wearing your name damages trust you need for everything else.
How Sendful handles it
Sendful publishes DMARC records, with SPF and DKIM aligned behind them, on every dedicated sending domain it provisions for a client, and monitors that authentication keeps passing for the life of the engagement. Because outreach never runs from your primary domain, your company's own DMARC posture stays untouched by campaign activity.
Is DMARC required to send cold email?
If you send at volume to Gmail or Yahoo addresses, effectively yes: their bulk sender guidance requires a DMARC record at minimum p=none with an aligned From domain for senders around 5,000 messages a day or more. Below that, it is still strongly advisable, since providers treat a published DMARC record as a baseline signal of a legitimate sender.
What DMARC policy should I use?
Start at p=none and collect aggregate reports for a few weeks to confirm every legitimate source passes SPF or DKIM with alignment. Then move to p=quarantine, often with a pct rollout, and finally p=reject once the reports are clean. Jumping straight to reject risks blocking real mail from a service you forgot was sending as your domain.
What is DMARC alignment?
Alignment means the domain in the visible From header matches the domain that actually passed authentication: the envelope sender domain for SPF, or the d= domain in the DKIM signature. A message can pass SPF and DKIM for some other domain and still fail DMARC if neither passing domain matches the From address the recipient sees.
Book a call
Done reading? We run all of this for you.
Book a call and leave with a custom outbound plan, your ICP, opening sequences, and a deliverability check, whether or not we work together.