DMARC Made Simple – How to stop spoofing without breaking your email

December 17, 2025

Anne Allen

NuStart Email Trust Series — Post 4 of 10

DMARC made simple is to help you understand Email deliverability, which is full of acronym soup—SPF, DKIM, DMARC, TLS—and most small businesses don’t have time to become part-time email engineers. In this series, I translate the geeky jargon into plain-English concepts and simple actions. You run the business; I’ll do the nerding.


What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. DMARC Made Simple is my attempt to demystify this vitally important email security measure.

That name is a mouthful, but DMARC really does three practical things:

  1. Stops spoofing (people pretending to email “from” your domain)
  2. Tells inbox providers what to do when authentication fails
  3. Sends you reports so you can see who is sending email as your domain

If SPF is your “allowed senders list,” DMARC is the policy layer that says:
“If an email fails the checks, here’s how strict to be.”

DMARC Made Simple - How to stop spoofing without breaking your email

Why DMARC matters for small businesses and non-profits

Spoofing is common. Attackers like to impersonate real local businesses because it’s believable. The top three cyber crimes, by number of complaints reported by victims in 2024, were phishing/spoofing, extortion, and personal data breaches

DMARC helps reduce risks like:

  • fake invoices sent “from you”
  • phishing emails targeting your customers or staff
  • brand damage (“I got a weird email from your company…”)
  • deliverability issues (inboxes trust you more when your policy is clear)

And DMARC doesn’t require you to buy anything. It’s a DNS record.


DMARC is built on SPF and DKIM

Important: DMARC doesn’t replace SPF or DKIM—it uses them.

DMARC checks whether:

  • SPF passed and is aligned, or
  • DKIM passed and is aligned

If neither is true, DMARC fails.

What “alignment” means (the simple version)

Alignment means the domain used by SPF/DKIM needs to “match” the domain in the From: address people see.

Example:
If your email says it’s from @yourdomain.com, DMARC wants SPF and/or DKIM to authenticate in a way that also ties back to yourdomain.com (not some unrelated domain).

This is the part that fixes a lot of “Why are my emails going to spam?” mysteries.


What a DMARC record looks like

DMARC is a TXT record at:

_dmarc.yourdomain.com

A basic starter DMARC record looks like:

v=DMARC1; p=none; rua=mailto:[email protected]; fo=1

Breakdown:

  • v=DMARC1 = this is a DMARC record
  • p=none = monitor only (don’t block anything yet)
  • rua=mailto:... = where aggregate reports should be sent
  • fo=1 = request failure reports in more cases (optional)

You’ll also see stricter policies later:

  • p=quarantine (treat failing mail as suspicious / spam)
  • p=reject (block failing mail)

The safe DMARC rollout (so you don’t break email)

DMARC is powerful—so the rollout matters.

Step 1: Start with monitoring (p=none)

This is “listen mode.” You’re not blocking anything, you’re gathering visibility.

Step 2: Fix what you learn

DMARC reports show you:

  • which services are sending as your domain
  • whether they pass SPF or DKIM
  • whether they align

Common fixes include:

  • enabling DKIM in Google/M365
  • correcting SPF includes
  • adjusting From/Return-Path alignment with third-party tools
  • changing website form sending method

Step 3: Increase enforcement gradually

When you’re confident legitimate senders are passing, you move to:

  • p=quarantine (partial, then more)
  • then p=reject (again, gradually)

This is the “don’t break email” part. You do not jump straight to reject unless you’re sure.


DMARC tags you’ll see (and what they mean)

p=

Your policy:

  • none (monitor)
  • quarantine (spam/suspicious)
  • reject (block)

pct=

Percentage of failing messages the policy applies to.
Example: pct=25 applies the policy to 25% of failing mail (great for gradual rollout).

rua=

Where aggregate reports go (highly recommended).

adkim= and aspf=

Alignment strictness:

  • r = relaxed (default; usually fine)
  • s = strict (tighter matching; use when you really know what you’re doing)

sp=

Subdomain policy (if you want a different policy for subdomains).


The most common DMARC mistakes (so you can avoid them)

1) Publishing DMARC with no reporting

DMARC without reports is like installing a security camera that doesn’t record. You want visibility first.

2) Going straight to p=reject

This can break mail from platforms you forgot about (CRMs, booking tools, website receipts). Roll out gradually.

3) Forgetting your website sends email too

Many contact forms and ecommerce systems send mail. If those are not aligned (SPF/DKIM), DMARC enforcement will expose it.


“How do I know if DMARC is working?”

Signs you’re on track:

  • DMARC record exists at _dmarc.yourdomain.com
  • You are receiving reports (rua)
  • Legitimate mail shows DMARC=pass in headers
  • Over time, fewer unauthenticated sources show up in reporting
  • When you move to quarantine/reject, nothing important breaks

Quick DMARC checklist (beginner-friendly)

  • SPF is set up and correct
  • DKIM is enabled for your mailbox provider and key platforms
  • DMARC record exists with p=none to start
  • rua= reporting is enabled
  • You reviewed what’s sending mail as your domain
  • You increased policy gradually (pct= is your friend)

DMARC FAQs

Will DMARC stop spam from being sent to me?

DMARC mainly protects your domain being used to send fake emails. It doesn’t stop spam to you, but it helps stop people pretending to be you.

Can DMARC break my email?

It can if you enforce too quickly. That’s why the safe approach is p=none → fix alignment → gradual quarantine → gradual reject.

Do I need DMARC if I already have SPF?

Yes. SPF alone is not enough, and it can fail in forwarding scenarios. DMARC ties SPF/DKIM to the visible From domain and adds policy + reporting.

What email address should I use for DMARC reports?

You can use a dedicated mailbox like [email protected], or a reporting service. The key is: reports should be monitored and not ignored.

What’s the difference between quarantine and reject?

Quarantine: treat failing mail as suspicious (often spam folder)
Reject: block failing mail (strongest protection)

Want NuStart to handle this for you?

If you’d rather not wrestle with DNS records, alignment, and testing, NuStart can audit your current setup and implement a clean, reliable Email Trust configuration end-to-end. Request an Email Trust Audit today to get started.

Anne Allen

About the author

Hi, I’m Anne Allen. I’ve spent the last 15 years living and breathing WordPress. I’m passionate about helping business owners demystify their websites—whether that means keeping your site secure with proper maintenance, setting up complex Gravity Forms, or ensuring your content is accessible through ADA compliance. Let’s make your site work for you.