• Authentication: Checks if emails pass SPF and/or DKIM.
• Policy (Conformance): Tells receivers what to do with failed messages.
• Reporting: Sends feedback to domain owners about who is sending mail using their domain.

How DMARC Works

• Sender publishes DMARC record in DNS (a TXT record).
• Incoming mail server checks SPF and DKIM.
• DMARC applies policy based on results: 

• Reports are sent back to the domain owner with details about authentication results.

Why DMARC Matters

• Protects your brand: Prevents attackers from spoofing your domain.
• Improves deliverability: ISPs trust domains with DMARC.
• Provides visibility: Reports show who is sending mail as you.
• Completes the “authentication trio” with SPF + DKIM.

Example DMARC Record

_dmarc.inboxsensei.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1" 

• DMARC records always live under the special subdomain _dmarc..
• This means it applies to all mail sent from @inboxsensei.com.

• Just like SPF and DKIM, DMARC is published as a DNS TXT record.

The value:

• Version → Always DMARC1.

• Policy → What you want recipient mail servers (Gmail, Outlook, Yahoo, etc.) to do if an email fails DMARC checks (SPF/DKIM don’t align).

• Aggregate reports address → Mail servers send daily XML summaries of all DMARC activity here.

• Forensic reports address → Some mail servers send individual copies of failed emails (stripped for privacy sometimes). Useful for deep debugging.

• Failure reporting option → 1 means: send forensic reports if either SPF or DKIM fails.
• Other options exist (like 0, d, s) but 1 is the most common.

🥋 Sensei Tip

Always start with p=none to collect reports safely. Once you’re confident no legitimate mail is being blocked, move to quarantine and eventually reject for maximum protection.