DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It was introduced in 2012 to tackle one of the biggest headaches in email security: domain spoofing and phishing. In simple terms, DMARC gives you visibility and control over who's sending emails from your domain, and it works by checking two existing email authentication methods—SPF and DKIM.

Understanding SPF and DKIM

Before diving into DMARC, you need to know what SPF and DKIM actually do.

SPF (Sender Policy Framework) is essentially a list of IP addresses you've approved to send emails on behalf of your domain. When an email arrives claiming to be from you, receiving servers check whether it came from one of those approved IPs.

DKIM (DomainKeys Identified Mail) works differently. It adds a digital signature to every email you send. The receiving server then checks this signature against a public key stored in your DNS records to verify the email hasn't been tampered with and genuinely came from your domain.

How DMARC Actually Works

DMARC ties SPF and DKIM together and adds an extra layer: alignment. This means the domain in the "From" address your recipients see must match the domain that passed SPF or DKIM checks.

Here's a typical DMARC record you'd publish in your DNS:
v=DMARC1; p=none; rua=mailto:dmarc-aggregate@dmarclytics.io; ruf=mailto:dmarc-failures@dmarclytics.io; pct=100

Once this is live, receiving email servers will:

1. Check if your email passes SPF or DKIM (and whether it aligns with your From domain)

2. Follow the policy you've set (more on that below)

3. Send you reports showing which emails passed or failed, and crucially, who's trying to send emails pretending to be you

These reports (sent to the rua and ruf addresses in your record) are gold dust. They show you every service sending on your behalf—the legitimate ones you've authorised and any dodgy sources trying to spoof your domain.

Why Bother with DMARC?

Getting DMARC set up properly gives you four major wins:

• Full visibility: You'll see every service and system sending emails using your domain, so you can spot unauthorised senders immediately.

• Tighter control: You decide which services are allowed to send on your behalf, blocking everything else.

• Protection from phishing: By stopping fraudsters from impersonating your domain, you protect your customers and your brand reputation.

• Better deliverability: Authenticated emails are trusted by inbox providers like Gmail and Outlook, so your legitimate emails are far less likely to end up in spam.

The Three DMARC Policies

DMARC isn't something you just switch on at full strength—it's a journey. You start soft, gather data, fix any issues, then gradually tighten enforcement. There are three policy levels:

None (p=none)
This is where everyone starts. You're monitoring only—no emails get blocked or quarantined, even if they fail DMARC checks. Use this phase to collect reports and map out all your legitimate email sources without any risk of disrupting mail flow.

Quarantine (p=quarantine)
Once you're confident your legit services are configured correctly with SPF or DKIM, move to quarantine. Now, any email that fails DMARC gets sent to the recipient's spam folder instead of their inbox. This is your testing ground—it lets you catch any remaining issues before going to full enforcement.

Reject (p=reject)
This is the end goal. At reject, any email failing DMARC is blocked outright before it even reaches the recipient's inbox. You should only move here once you've validated everything during quarantine and you're certain all legitimate email flow is properly authenticated.

You can also use the pct tag (e.g., pct=50) to apply your policy to only a percentage of failing emails whilst you're transitioning—handy for rolling out changes gradually and safely.

Getting to Reject (Without Breaking Everything)

Reaching a reject policy is where DMARC delivers maximum protection, but rushing it can block your own legitimate emails. The trick is to take it step by step: start at none, analyse your reports thoroughly, configure SPF and DKIM for every legitimate sender, test at quarantine, then finally move to reject.

With the right tools (hint: platforms that parse those XML reports for you and highlight issues), the whole process becomes far more manageable. You'll protect your domain from phishing and spoofing whilst improving your sender reputation and email deliverability along the way.