DMARC (Domain-Based Message Authentication, Reporting, and Conformance) lets domain owners publish policies in DNS that instruct remote mail servers on what to do with messages that fail authentication checks. It's built on top of two established standards: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
DMARC also includes a reporting mechanism: when remote mail servers receive messages that don't align with your policy, they send you aggregate reports showing where your domain is being used — and misused.
The core problem it solves is spoofing. Without DMARC, anyone can send mail that appears to come from your domain. SPF and DKIM do the authentication work — SPF designates which servers are authorized to send on your behalf, DKIM signs messages to detect tampering in transit — but without DMARC there's no policy telling receivers what to do when those checks fail, and no reporting telling you when it's happening.
A Practical Example
As the owner of example.com, you can publish SPF and DKIM records identifying your mail server (x.x.x.x) as the only authorized sender. Then publish a DMARC record instructing remote servers to reject messages that fail both checks, and report violations to abuse@example.com:
"v=DMARC1;p=reject;rua=mailto:abuse@example.com"
This record goes in DNS as a TXT record at _dmarc.example.com. When a remote server receives a message claiming to be from @example.com but not originating from x.x.x.x, the SPF check fails and the message is rejected per your published policy.
SPF, DKIM, and DMARC are foundational tools in the fight against email spoofing and phishing. For a closer look at each standard and how they work together, see Email Security: Understanding SPF, DKIM, and DMARC. To verify your own records or test a configuration, Mr. DNS offers free SPF, DKIM, and DMARC checkers.
Email authentication is foundational but not complete. A domain with p=reject can still have its sending IPs appear on blacklists from complaint volume, spam trap hits, or compromised sending accounts. Generator Labs monitors your sending infrastructure against hundreds of blacklists so you know immediately if any of your IPs or domains are listed.