DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer on top of SPF and DKIM. A DMARC record at _dmarc.domain.tld tells receiving servers two things: (1) how strictly to check SPF and DKIM alignment with the displayed From address, and (2) what to do with messages that fail — p=none (monitor only), p=quarantine (send to spam), p=reject (bounce). DMARC also configures aggregate reporting: receivers send daily XML reports on every message sent from the domain, with pass/fail rates per source IP. This is how domain owners detect phishing / spoofing against their brand. Best-practice path: start at p=none with rua (reporting) configured, analyse reports for 30-60 days to find legitimate senders failing SPF or DKIM, fix them, then escalate to p=quarantine and finally p=reject. Gmail and Yahoo now require DMARC for any sender exceeding 5,000 messages per day to their domains.