🚧 DRAFT — work in progress. Nothing here is final; content and features are still being built.
Shipshape

WTF Series

WTF is DMARC?

The protocol that ties SPF and DKIM together and tells mailbox providers what to do when authentication fails.

The real explanation

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. In plain English: it's the policy layer that sits on top of SPF and DKIM. SPF checks if the sending server is allowed. DKIM checks if the message was tampered with. DMARC asks: did at least one of those pass AND align with the domain in the From address?

You publish a DMARC record in your DNS as a TXT record on _dmarc.yourdomain.com. That record tells receiving servers three things: your policy (none, quarantine, or reject), where to send aggregate reports, and optionally where to send forensic reports.

Here's the thing nobody explains clearly: p=none means "do nothing, just send me reports." A lot of senders set this up and think they're protected. They're not. It's monitoring mode. You need p=quarantine or p=reject to actually stop spoofing. But you should only move to those after you've reviewed your reports and made sure all your legitimate senders are passing.

Show me an example

You check your DMARC aggregate reports and notice that a marketing tool you forgot about is sending from your domain but failing DKIM. Without DMARC, those emails just go out and maybe land in spam. With DMARC at p=reject, they bounce. The fix: add that tool's DKIM signature or include their servers in your SPF record, then they'll pass alignment.

Who handles this?

Sigilthe Signaler

Sigil covers authentication (spf/dkim/dmarc/bimi).

Go deeper

Read more in the Email Almanac: DMARC in the Almanac

Related entries

Share this
© 2026Review My Emails. Confidential & proprietary — unreleased draft. Unauthorized copying, reproduction, or distribution of this site or its contents is prohibited. All rights reserved.