What is DMARC?

It’s a note you leave in DNS for every mail server out there. The note says: “If a message claims to come from me but the SPF or DKIM checks don’t add up, here’s what I’d like you to do with it.” There’s a second job too, and honestly I think it’s the better reason to set the thing up at all. DMARC can mail you back daily reports listing everyone sending as your domain. Which is usually how you stumble onto the rogue marketing tool nobody mentioned. Better to find that now, while you’re still on p=none, than after you’ve told the world to reject.

DMARC policy levels

• p=none blocks nothing. It just turns the reports on so you can watch. Start here, always.
• p=quarantine says: failing mail goes to spam, not the inbox. I tend to sit on this one for a while, until the reports stop surprising me.
• p=reject is the setting that genuinely shuts spoofing down, because failing mail gets refused at the door and never arrives.

FAQ

Should every domain have DMARC?

Yes. Even the ones you never send a single email from. Parked domains, dead brands, that side project you forgot you owned: those are the ones attackers reach for first, exactly because nobody’s keeping an eye on them. If a domain has anything to do with email, or with money landing in someone’s inbox, then skipping the record feels reckless to me.

Is p=none enough?

For the first few weeks, sure. p=none buys you time to read the reports and catch every legit sender before you start blocking anything. On its own, though, it protects nobody. A spoofer couldn’t care less that you’re “monitoring” them. So once SPF and DKIM check out clean and the reports stop throwing up surprises, push it to quarantine. Then, when your nerve holds, reject.