DMARC

Also known as: Domain-based Message Authentication, Reporting and Conformance

DMARC is the instruction that tells receiving mail providers what to do with fake email pretending to be your business — and it's what finally stops criminals from impersonating your domain.

What it is

DMARC stands for Domain-based Message Authentication, Reporting and Conformance — but the plain version is simpler. SPF and DKIM let providers check whether an email is genuinely from you. DMARC is the line that tells them what to do when an email fails that check: let it through, send it to spam, or reject it outright.

It also asks providers to send you reports showing who is trying to send email in your name — so for the first time you can actually see impersonation attempts.

Why it matters to your business

SPF and DKIM on their own are like a guest list with no doorman. DMARC is the doorman. Until you set a DMARC policy that says “reject fakes,” a scammer’s forged email can still reach your customers and staff — because nothing is enforcing the checks.

This is the layer that finally stops criminals from sending fake invoices “from you” to your customers, or fake payment requests “from the owner” to your finance person. It’s also a hard requirement from Gmail and Yahoo for businesses that send any volume of email — without it, your real mail is increasingly likely to be blocked.

How to tell / what to do

Our free checker shows whether you have DMARC and, crucially, whether it’s actually enforcing anything or just watching. Many domains have a DMARC record that does nothing (see p=none vs p=reject). If yours is missing or weak, the fix is free and is done in your domain settings. See the DMARC fix guide.

Want to fix this on your own domain? See the free guide →