What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that helps domain owners stop attackers from sending email that pretends to come from them.
How DMARC works with SPF and DKIM
DMARC builds on two existing mechanisms: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). When a receiving mail server gets a message from your domain, it uses SPF and DKIM to check whether the message is authorized and whether it was modified in transit. DMARC adds policy and reporting on top of those checks.
- SPF answers: “Which servers are allowed to send as this domain?”
- DKIM answers: “Did this message come from an authorized system and stay intact?”
- DMARC answers: “Do SPF and/or DKIM pass, and if not, what should the receiver do?”
Why DMARC matters
Without DMARC, attackers can send messages that look like they are from your organization, even if you have SPF and DKIM set up. DMARC tells mailbox providers how to handle unauthenticated mail and gives you visibility into how your domains are used.
- Reduce phishing and spoofing that abuse your name.
- Improve the odds that legitimate email lands in the inbox instead of spam.
- Demonstrate strong security posture to customers, partners and regulators.
DMARC policies in plain language
DMARC policies are usually published in your DNS as p=none, p=quarantine or p=reject.
p=none
Monitor only. Mail is delivered, but providers send reports showing what would have been blocked.
p=quarantine
Suspicious mail can be sent to the spam folder. Useful once most traffic is properly authenticated.
p=reject
Strict enforcement. Messages that fail DMARC can be rejected outright to stop spoofing.
DMARCsimple helps you move through these stages safely by showing how much of your traffic passes authentication and providing practical steps to fix gaps before you tighten enforcement.