You now know about SPF (authorized senders) and DKIM (message integrity). This week we cover the layer that makes both of them enforceable: DMARC.

This Week’s Lesson

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's a DNS policy that tells receiving mail servers what to do when SPF or DKIM fails.

A DMARC policy looks like this in DNS: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourcompany.com

The p= value is the policy — it has three levels: none (monitor only, take no action), quarantine (send failed messages to spam), enforce/reject (block failed messages entirely).

Most organizations start with p=none to gather data before moving to stricter enforcement. The rua= address receives aggregate reports — XML files that show you which servers are sending email under your domain, and whether they're passing authentication.

DMARC also introduces the concept of alignment: SPF and DKIM results must align with your From address domain — not just pass in isolation. This is the key technical requirement that closes the spoofing loophole.

Without DMARC at p=reject, attackers can still spoof your domain even if you have perfect SPF and DKIM records. DMARC is what actually blocks them.