DMARC (Domain-Based Message Authentication, Reporting, and Conformance) lets domain owners publish policies in DNS that instruct remote mail servers on what to do with messages that fail authentication checks. It's built on top of two established standards: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
DMARC also includes a reporting mechanism. When remote mail servers receive messages that don't align with your published policy, they can send aggregate reports back to you, giving visibility into how your domain is being used and misused.
Why Does This Matter?
The primary goal of DMARC (and SPF and DKIM) is to detect and prevent email spoofing. Phishing attacks are the most common example: a message that appears to come from your bank or a payment provider, prompting you to click a link or enter account credentials.
SPF and DKIM do the heavy lifting. SPF designates which mail servers are authorized to send on behalf of your domain. DKIM cryptographically signs messages to detect tampering in transit. DMARC ties the two together, providing a single place to define your domain's policy and specify what should happen when either check fails.
A Practical Example
As the owner of example.com, you can publish SPF and DKIM records identifying your mail server (x.x.x.x) as the only authorized sender. Then publish a DMARC record instructing remote servers to reject messages that fail both checks, and report violations to abuse@example.com:
"v=DMARC1;p=reject;rua=mailto:abuse@example.com"
This record goes in DNS as a TXT record at _dmarc.example.com. When a remote server receives a message claiming to be from @example.com but not originating from x.x.x.x, the SPF check fails and the message is rejected per your published policy.
SPF, DKIM, and DMARC are foundational tools in the fight against email spoofing and phishing. For a closer look at each standard and how they work together, see Email Security: Understanding SPF, DKIM, and DMARC. To verify your own records or test a configuration, Mr. DNS offers free SPF, DKIM, and DMARC checkers.
Proper email authentication lowers your blacklisting risk, but it doesn't eliminate it. Generator Labs monitors your sending infrastructure against hundreds of blacklists, so you know immediately if something slips through.