How DMARC Works: A Plain-English Guide for Non-Engineers

What DMARC Actually Does

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. In plain language, it's a public instruction a domain owner posts that tells receiving mail servers: 'if an email claims to be from my domain but doesn't pass SPF or DKIM authentication, here's what to do with it.' The 'what to do' options are: do nothing (monitor only), put it in spam (quarantine), or refuse it entirely (reject).

Without DMARC, a spammer can forge the From: header to say anything they want — including pretending to be your bank. With DMARC enforced, that forgery either gets caught and discarded by Gmail / Outlook / iCloud, or it lands in spam where you'll probably ignore it.

The Three Pieces You'll See

A DMARC record is a DNS TXT record at _dmarc.example.com and looks like this:

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

Breaking it down:

• v=DMARC1 — protocol version. Always this for now.
• p=reject — the policy. Options: none (monitor only), quarantine (send to spam), reject (refuse delivery).
• rua=mailto:... — where aggregate reports get sent. These are XML summaries from receivers showing what passed and failed.
• pct=100 — what percentage of failing mail to apply the policy to. Useful for gradual rollouts.

Why It Builds on SPF and DKIM

DMARC is not standalone. It works by checking whether at least one of two underlying mechanisms is in alignment:

• SPF says 'these specific IP addresses are allowed to send mail for my domain'
• DKIM says 'I cryptographically signed this message, here's the signature'

DMARC says 'if the SPF and DKIM checks pass AND the domain they validate matches the visible From: address, this mail is legitimate. If not, apply my policy.' The alignment check is what catches spoofing — an attacker can buy any domain and configure SPF for it, but if the From: header says your bank, the alignment fails.

Why You Should Care as a User

• You receive less phishing because spoofed mail from major brands now gets rejected at the receiving mail server, never reaching your inbox
• If your bank, healthcare provider, or government agency hasn't enforced DMARC, you should know about it — their email is more spoofable than it should be
• If you run a domain (even a personal one), you should publish a DMARC record so attackers can't spoof emails from you to your contacts

Why Sites Sometimes Don't Enforce It

Enforcing DMARC with p=reject means any legitimately-but-misconfigured mail-sending system attached to your domain instantly stops working. Marketing platforms, transactional email providers, third-party CRMs, internal HR tools, contractor tools — if any of these aren't included in your SPF record or signed by your DKIM key, their mail gets rejected. For large organisations the discovery + cleanup phase takes months.

This is why many large brands still run p=none (monitor only) for years before tightening to quarantine or reject.

How to Check Any Domain's DMARC

From a terminal:

dig +short TXT _dmarc.example.com

Web tools like mxtoolbox.com/dmarc.aspx let you query without a terminal. Look for p= — p=reject is the gold standard, p=quarantine is acceptable, p=none means they're monitoring but not actively blocking spoofing.

Practical Takeaway

DMARC is one reason your inbox today contains less obvious spoofing than it did in 2015. It works invisibly to most users. When you receive a perfectly-formatted email pretending to be from PayPal and it lands in your inbox, that's a sign PayPal's DMARC is mis-configured (rare) or that the attacker isn't bothering to forge the From: header (more common — they use a lookalike domain like payp4l.com instead).

Related Guides

See also: How SPF records work, How DKIM signing works, and how to verify a sender is legitimate.