Email has a design flaw older than most businesses: anyone can put any address in the "From" line. The protocol that moves mail around the internet doesn't verify the sender by default — the same way a paper envelope doesn't verify the return address written on it.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the published policy that closes that gap for your domain. It's a small text record in your domain's public DNS that tells every receiving mail server in the world what to do with messages that claim to come from your domain but fail authentication.
The three policy levels
A DMARC record sets one of three policies:
p=none— "monitor only." Forged mail is still delivered; you just receive reports about it. This is where most small-business domains sit, and it provides zero blocking.p=quarantine— "send failures to spam." Better, but forged mail still reaches the recipient's spam folder, where some people read it anyway.p=reject— "refuse failures outright." Receiving servers are instructed to reject mail that fails authentication for your exact domain. This is enforcement — the level that actually stops exact-domain spoofing.
What DMARC does — and honestly, what it doesn't
At enforcement, DMARC stops attackers from sending mail as your exact domain (yourcompany.com). It does not stop look-alike domains (yourc0mpany.com), and it does not stop mail sent from a mailbox that's been broken into. Those are separate risks with separate controls. Anyone who tells you DMARC stops "all phishing" is overselling.
Why this matters more since 2024–2025
In February 2024, Google and Yahoo began requiring email authentication (SPF, DKIM, DMARC) from anyone sending in volume to their users — and Microsoft now applies the same requirements (Outlook, 2025). Across the board, major providers filter or reject unauthenticated mail far more aggressively than before — which means weak authentication now also hurts your own legitimate email's ability to reach customers, not just your fraud exposure.
How to find out where your domain stands
Your DMARC policy is public — anyone can look it up, including attackers. Our free scan reads it (along with SPF, DKIM, MX, MTA-STS, TLS-RPT, and BIMI) and gives you a 0–100 score with plain-language findings in about 10 seconds.