If you send more than a handful of marketing or transactional emails, you almost certainly need DMARC, and for many senders it's now a hard requirement. Since February 2024, Google and Yahoo require a DMARC record from anyone sending more than 5,000 messages a day to their users. Beyond that rule, DMARC is the only standard that protects the domain your recipients actually see from being spoofed.
Who is required to have DMARC?
The clearest line is the Google and Yahoo bulk sender rules that took effect in February 2024. If you send more than 5,000 messages a day to Gmail or Yahoo addresses, you must:
- Authenticate with both SPF and DKIM.
- Publish a DMARC record (a policy of
p=nonesatisfies the baseline requirement). - Keep spam complaint rates low and honor one-click unsubscribe.
That 5,000-a-day threshold is measured against Gmail and Yahoo recipients specifically, and plenty of senders cross it without realizing, especially around campaigns. If there's any chance you're close, treat DMARC as required rather than optional. Our breakdown of the Google and Yahoo requirements goes deeper on the full checklist.
What if I send less than that?
You're not required to publish DMARC, but it's still a good idea, for two reasons.
The first is protection. Any domain a customer recognizes is a spoofing target, and volume has nothing to do with it. A small company can have its domain forged in a phishing run just as easily as a large one, sometimes more easily, because nobody's watching the reports. DMARC is what lets you shut that down.
The second is visibility. Even in monitor mode, DMARC reports show you every service sending mail under your name. The reporting is the underrated benefit: most teams find a forgotten tool or a misconfigured sender the first week they look, threshold or no threshold.
Who needs to move past monitor mode?
This is the distinction that matters once you're past "do I have a record at all." Publishing p=none ticks the compliance box and gives you reports, but it doesn't stop a single spoofed message. Enforcement (p=quarantine or p=reject) is what actually protects people.
You should ramp to enforcement if any of these describe you:
- You send transactional mail customers act on, like receipts, password resets, and account alerts. These are prime phishing bait.
- You're in a trust-sensitive industry such as finance, healthcare, or e-commerce.
- Your brand is well-known enough that someone would bother impersonating it.
- You've already seen spoofing or phishing using your domain.
If you're a low-volume internal domain that sends almost nothing, monitor mode may be a reasonable resting place. For most real senders, though, p=none is only a starting point, and reject is the goal. What is a DMARC policy explains how to ramp there safely.
How much work is it, really?
Less than you'd expect, especially if SPF and DKIM are already in place. DMARC itself is one DNS record, and you start in monitor mode where it can't break anything. The ongoing effort is reading reports during the rollout, then occasional checks once you're enforcing. How to set up DMARC is the step-by-step, and what is DMARC covers the concept if you're still getting oriented.
If you send through Bird, DKIM and SPF alignment come from your sending-domain records, so the lift is mostly the DMARC record and watching what comes back. The authentication guide has the specifics for your domain.
So, do you need DMARC? If you send bulk mail to the big providers, it's required. If you send anything a scammer would want to impersonate, it's worth doing well. The only senders who can comfortably skip it are the ones nobody would bother forging, and that's a smaller group than it sounds.