DMARC is an email security protocol that builds on SPF and DKIM to give domain owners more control over what happens when a suspicious email is detected.
It tells receiving mail servers how to handle messages that fail authentication checks, and it provides reports so you can monitor abuse of your domain.
In simple terms: DMARC helps you protect your brand, your customers, and your deliverability.
How it works
DMARC works by checking whether an incoming email passes both SPF and DKIM, and whether the email’s “From” domain aligns with those authentications (called domain alignment).
When a message fails these checks, DMARC applies the policy you’ve defined in your DNS record:
- none: Take no action, just collect data (useful for monitoring).
- quarantine: Mark the email as suspicious (send to spam).
- reject: Block the email entirely.
You’ll also get feedback reports from participating inbox providers, so you can see who is sending email on your domain’s behalf, whether legit or malicious.
Why it matters
- Prevents domain spoofing and phishing
DMARC stops attackers from faking your domain and scamming your customers or colleagues. - Protects brand reputation
A DMARC policy helps prevent your company’s name from being used in harmful or fraudulent emails. - Improves email deliverability
Inbox providers trust authenticated domains more, meaning your legit emails are more likely to reach the inbox. - Gives visibility and control
With DMARC reports, you get a clearer picture of your domain’s email traffic and who’s trying to abuse it.
Pro tip: DMARC only works if you’ve already set up SPF and DKIM. It’s the final security layer that brings it all together. Start with a “none” policy to monitor activity, then move to “quarantine” or “reject” once you’re confident. If you’d like to learn more about DMARC, check out our blog here.
