DMARC Explained in Plain English (No Acronym Soup)

Published July 1, 2026

DMARC is a DNS setting that tells mailbox providers like Gmail what to do with email that claims to come from your domain but can't prove it: deliver it anyway, send it to spam, or reject it. It's the only mechanism that stops strangers from sending email as you, and since 2024, Gmail and Yahoo effectively require it.

The problem DMARC solves

Email was designed in an era of trust: any server can put any address in the From line. Nothing in the basic protocol stops someone in another country from sending mail that says it's from [email protected]: to your customers, your vendors, or your own staff.

Two older technologies partially address this. SPF lets you publish the list of servers allowed to send for your domain. DKIM adds a cryptographic signature that proves a message wasn't altered and really came from your infrastructure. But neither tells receivers what to do when a message fails both checks, and crucially, neither checks the From address a human actually sees.

DMARC closes that gap. It requires that SPF or DKIM not only pass, but pass for the same domain the recipient sees in the From line (called alignment), and it lets you publish a policy for what happens when that fails.

The three policies

Your DMARC policy is the p= tag in your record, and it has three possible values. The policy applies to mail that fails authentication. Legitimate mail that passes is never affected.

PolicyWhat happens to failing mailWhen to use it
p=noneDelivered normally; you receive reports about itStarting out: discover every service sending as your domain
p=quarantineSent to the recipient's spam folderAfter all legitimate senders pass consistently
p=rejectRefused outright (never reaches the inbox)The end goal: spoofing your domain stops working

What a DMARC record looks like

A DMARC record is a single TXT record in your DNS at the host _dmarc. A sensible starting record looks like this:

Host _dmarc.yourdomain.comType TXT
v=DMARC1; p=none; rua=mailto:[email protected]; fo=1

The reports are the point

The rua tag is where the real value lives. Once it's set, every major mailbox provider sends you a daily XML report listing every IP address that sent mail claiming to be your domain: how much, and whether it passed SPF and DKIM.

This is how you discover the CRM your sales team signed up for, the invoicing tool sending on your behalf, and the server in another country pretending to be you. The catch: the reports are compressed XML files designed for machines. Almost nobody reads them by hand, which is why monitoring services exist: they turn the XML into a dashboard and tell you when something needs attention.

Why you can't just jump to p=reject

If you enforce p=reject before every legitimate sender passes authentication, your own email gets rejected: the newsletter tool that never got a DKIM key, the helpdesk that isn't in your SPF record, the invoice system nobody remembered.

The safe path is: publish p=none, watch reports for a few weeks, fix each legitimate sender that fails, then move to quarantine, then reject. With clean reports, that journey typically takes four to eight weeks. This graduated rollout is exactly what DMARCPath automates: it tells you when your numbers say you're ready, and hands you the next record to paste.

Frequently asked questions

Does DMARC affect email I receive?
No. Your DMARC policy governs what other providers do with mail claiming to be from your domain. It has no effect on mail arriving in your own inboxes (your provider applies other senders' DMARC policies to that).
Do small businesses really need DMARC?
Yes, for two reasons: deliverability (Gmail and Yahoo now factor authentication into inbox placement for everyone, not just bulk senders) and impersonation (small businesses are heavily targeted for invoice fraud precisely because they rarely have DMARC enforced).
Is DMARC hard to set up?
Publishing the record takes five minutes. The work is in the weeks after: reading reports, fixing senders that fail, and tightening the policy, which is the part monitoring tools automate.

Keep reading

Reading about it is step one

DMARCPath does the watching for you: every sender identified, every failure explained, and a guided path to p=reject. One domain free, forever.

Start monitoring free →