schedule 9-min read

What Is DMARC? A Beginner’s Guide to Domain Protection

DMARC tells the world’s mailbox providers which mail from your domain is real. Learn what it is, how SPF and DKIM feed into it, and the safe rollout path.

01

Introduction

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. In plain English: it's a TXT record you publish in DNS that tells every mailbox provider on the internet what to do with email that claims to be from your domain but doesn't actually pass authentication.

Without DMARC, anyone can put your domain in the "From" header of an email and the receiving server has no instruction from you on whether to trust it. With DMARC, you get two superpowers at once — visibility into who is sending as you (legitimate vendors, attackers, forgotten old tools) and the ability to tell receivers "reject anything that isn't actually mine."

That's the entire premise. Everything else is mechanics. If you'd like the plain-English-only version with zero acronyms, jump to DMARC explained for non-technical teams.

02

Why this topic matters

In 2024, Google and Yahoo started rejecting bulk mail from senders without DMARC. Microsoft followed suit. Anyone sending more than 5,000 messages a day to their users without DMARC sees deliverability collapse — and "bulk" is defined loosely enough that mid-size B2B senders trip the threshold without realizing it. The combined effect is detailed in the article on why every business domain needs DMARC in 2026.

Outside of deliverability, the business risk is brand-impersonation phishing. The Anti-Phishing Working Group consistently reports that brand-impersonation attacks make up the majority of phishing incidents. The attacker spends $0 to send an email "from" your CEO; you spend an entire incident-response cycle dealing with the fallout. A DMARC record at p=reject makes that specific class of attack — exact-domain spoofing — operationally impossible. The article on does DMARC stop phishing covers the limits as well as the wins.

For MSPs, the implication is direct: every client domain you manage is one DNS record away from being unspoofable, and that DNS record is something the client cannot configure without help. DMARC turns into a recurring service with a clear before/after.

03

How DMARC fits with SPF and DKIM

DMARC doesn't authenticate anything on its own. It's the policy layer sitting on top of two underlying mechanisms:

  • SPF (Sender Policy Framework) — a DNS record listing the IPs that may send for your domain. Receivers compare the connecting IP to the list.
  • DKIM (DomainKeys Identified Mail) — a cryptographic signature added to outbound messages. Receivers verify the signature against a public key in your DNS.

DMARC asks one question: for the domain in the From header, did SPF or DKIM pass AND align with that From domain? If yes, the message is "DMARC pass." If no, the receiver follows your published policy. The interaction is unpacked further in how SPF, DKIM, and DMARC work together.

The "alignment" detail matters. A message can have a valid SPF pass against a Mailchimp envelope-sender and still fail DMARC if the From address says @yourdomain.com — because the SPF pass was for @mailchimp.com, not for you. Alignment is what stops attackers from gaming the system by passing SPF against their own domain while spoofing yours in the visible From header. It's also why SPF alone isn't enough to stop spoofing and DKIM alone isn't enough either.

04

Step-by-step approach to publishing your first DMARC record

A safe rollout has five concrete phases. Skipping any of them is how teams accidentally quarantine their own newsletters. A detailed walkthrough lives in how to create a DMARC record step by step; the short version:

  1. Inventory every sender. List every system that sends mail as your domain: Microsoft 365, Google Workspace, your CRM, your marketing platform, your help-desk, billing, transactional senders, your finance team's invoice tool, that one developer running a cron job. The list is always longer than people expect. How to handle third-party senders during DMARC projects walks through the categorization.
  2. Publish a monitoring-only DMARC record. Add v=DMARC1; p=none; rua=mailto:[email protected] at _dmarc.yourdomain.com. This changes nothing for receivers — they still deliver mail normally — but they now send you XML aggregate reports of every authentication outcome. p=none is monitor mode and only that — it's not protection.
  3. Read the reports for at least 2-4 weeks. A DMARC platform parses the XML into a sender-by-sender view — saving you from reading raw XML by hand.
  4. Fix authentication for every legitimate sender. Add the missing SPF includes (watch out for too many DNS lookups), enable DKIM signing, fix alignment issues. The goal is 100% DMARC pass rate for legitimate mail before you tighten policy.
  5. Move policy up. p=quarantine (failures go to spam) for a few weeks, then p=reject (failures are bounced at the SMTP gate). The safe path from monitoring to enforcement is its own article.

The whole journey is usually 6-12 weeks for a mid-sized organization, faster for a domain with few senders, slower for one with many.

05

Best practices

A few principles separate teams that stick with DMARC from teams that turn it off after a panic:

  • Never go to p=reject based on volume alone. Go to reject when your reports show ~100% pass for known-good senders for several consecutive weeks. Why enforcement matters more than monitoring explains why most domains never finish the journey.
  • Prefer DKIM over SPF for third-party senders. SPF breaks when mail is forwarded; DKIM signatures survive forwarding. Most major platforms now support custom DKIM — use it. See SPF record best practices for the SPF side and DKIM selector explained for the DKIM side.
  • Watch your SPF lookup count. RFC 7208 caps SPF at 10 DNS lookups. Stacking include: records for every SaaS sender silently breaks SPF when you cross the limit. SPF flattening is the usual fix.
  • Use a subdomain policy (sp=) deliberately. By default, subdomains inherit the parent's policy. If you have mail.yourdomain.com for one purpose and notifications.yourdomain.com for another, treat each subdomain as a separate policy decision — see DMARC for subdomains.
  • Treat the reports as a sender inventory. New rows showing up in aggregate reports are how you discover that the marketing team signed up for a new tool last week without telling IT.
06

Run a free DMARC audit on the domain. A good audit produces three artefacts: a snapshot of the current SPF/DKIM/DMARC records, a categorized list of every IP sending as your domain in the last 30 days, and a remediation plan ranked by impact.

For MSPs, the audit doubles as a sales artefact — the client typically didn't know that 40-60% of mail appearing to come from their domain wasn't actually theirs, and the audit makes that visible in a single screenshot. How MSPs should audit client domains and the DMARC sales script for MSPs cover the productized version.

07

FAQ

Do I need DMARC if I don't send much email?

Yes — arguably more than someone who sends a lot. A low-volume domain is an attractive target for spoofing precisely because the legitimate senders are easy to enumerate. Publishing v=DMARC1; p=reject on a domain that never sends mail is one DNS record and one of the cheapest security wins available.

Will DMARC break my newsletter or marketing email?

Not if you've already enabled SPF and DKIM with your provider and you stayed at p=none long enough to confirm pass rates. The risk comes from jumping straight to p=reject while one of your providers is misconfigured. The monitoring phase exists to prevent exactly that. Provider-specific guides cover the common platforms: Mailchimp, HubSpot, Salesforce, SendGrid.

Is DMARC enough on its own?

No. DMARC stops exact-domain spoofing — attackers can no longer put [email protected] in the From header of a phishing email. It does not stop look-alike domains (y0urdomain.com), display-name spoofing ("Your CEO <[email protected]>"), or compromised mailboxes. Those need other controls: brand protection, BIMI for visual verification, MFA, user training. The complete stack is covered in DMARC, BIMI, MTA-STS, and TLS-RPT: the modern email security stack.

What's the difference between p=none, p=quarantine, and p=reject?

p=none is monitor-only — receivers tell you what they saw but deliver everything. p=quarantine asks receivers to put failures in spam. p=reject asks receivers to bounce failures at the SMTP gate. Most domains end at p=reject; very few have a legitimate reason to stay at p=quarantine long-term. Full breakdown in DMARC policy explained.

How do I read the XML aggregate reports?

Don't. They're machine-readable on purpose. A DMARC platform parses them into per-sender breakdowns showing pass rate, volume, alignment status, and source IPs. Reading raw XML is fine for a one-off but unsustainable past a few dozen senders — see how to read DMARC XML reports without losing your mind.

08

Final thoughts

DMARC is one of the rare security controls where the entire deployment lives in DNS, takes a finite amount of work, and produces a definitive end state: at p=reject, no one can ever send an email that exactly impersonates your domain again. There's no ongoing patching, no licensing, no agent on a machine. There is the rollout, and there is the steady-state monitoring for new senders.

The catch is that the rollout has to be done carefully. Skipping the inventory phase is how teams accidentally block their own invoicing system. The monitoring phase isn't optional — it's the part that makes the policy phase safe.

For domains protecting themselves, DMARC pays for itself the first time a phishing wave targeting your customers gets stopped at the receiver. For MSPs offering DMARC as a service, it's a recurring engagement built around a clear, finite, demonstrable outcome.

Ready to Implement?

Get authenticated mail moving in minutes — start free, book a guided demo, or talk to the team about your stack.

Start free arrow_forward event Book demo mail Contact us