DMARC
DMARC tells mail servers what to do with emails that fail SPF or DKIM checks (e.g., reject them or mark as spam).
Email & DNS~1 min read
In plain English
Instructions you give to the internet: “If an email claiming to be from me fails the SPF or DKIM check, don’t deliver it—or put it in spam.”
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy layer built on top of SPF and DKIM. It tells receiving mail servers how to handle emails that fail authentication and provides reporting back to the domain owner.
A DMARC policy can be set to 'none' (monitoring), 'quarantine' (send to spam), or 'reject' (block entirely). This is the most powerful tool for preventing domain impersonation and phishing.
Examples & Usage
Monitoring Policy (safe to start)
v=DMARC1; p=none; rua=mailto:reports@example.comEnforcement Policy (strict)
v=DMARC1; p=reject; aspf=s; adkim=s;