NuStart Email Trust Series — Post 4 of 10
DMARC made simple is to help you understand Email deliverability, which is full of acronym soup—SPF, DKIM, DMARC, TLS—and most small businesses don’t have time to become part-time email engineers. In this series, I translate the geeky jargon into plain-English concepts and simple actions. You run the business; I’ll do the nerding.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. DMARC Made Simple is my attempt to demystify this vitally important email security measure.
That name is a mouthful, but DMARC really does three practical things:
- Stops spoofing (people pretending to email “from” your domain)
- Tells inbox providers what to do when authentication fails
- Sends you reports so you can see who is sending email as your domain
If SPF is your “allowed senders list,” DMARC is the policy layer that says:
“If an email fails the checks, here’s how strict to be.”

Why DMARC matters for small businesses and non-profits
Spoofing is common. Attackers like to impersonate real local businesses because it’s believable. The top three cyber crimes, by number of complaints reported by victims in 2024, were phishing/spoofing, extortion, and personal data breaches
DMARC helps reduce risks like:
- fake invoices sent “from you”
- phishing emails targeting your customers or staff
- brand damage (“I got a weird email from your company…”)
- deliverability issues (inboxes trust you more when your policy is clear)
And DMARC doesn’t require you to buy anything. It’s a DNS record.
DMARC is built on SPF and DKIM
Important: DMARC doesn’t replace SPF or DKIM—it uses them.
DMARC checks whether:
- SPF passed and is aligned, or
- DKIM passed and is aligned
If neither is true, DMARC fails.
What “alignment” means (the simple version)
Alignment means the domain used by SPF/DKIM needs to “match” the domain in the From: address people see.
Example:
If your email says it’s from @yourdomain.com, DMARC wants SPF and/or DKIM to authenticate in a way that also ties back to yourdomain.com (not some unrelated domain).
This is the part that fixes a lot of “Why are my emails going to spam?” mysteries.
What a DMARC record looks like
DMARC is a TXT record at:
_dmarc.yourdomain.com
A basic starter DMARC record looks like:
v=DMARC1; p=none; rua=mailto:[email protected]; fo=1
Breakdown:
v=DMARC1= this is a DMARC recordp=none= monitor only (don’t block anything yet)rua=mailto:...= where aggregate reports should be sentfo=1= request failure reports in more cases (optional)
You’ll also see stricter policies later:
p=quarantine(treat failing mail as suspicious / spam)p=reject(block failing mail)
The safe DMARC rollout (so you don’t break email)
DMARC is powerful—so the rollout matters.
Step 1: Start with monitoring (p=none)
This is “listen mode.” You’re not blocking anything, you’re gathering visibility.
Step 2: Fix what you learn
DMARC reports show you:
- which services are sending as your domain
- whether they pass SPF or DKIM
- whether they align
Common fixes include:
- enabling DKIM in Google/M365
- correcting SPF includes
- adjusting From/Return-Path alignment with third-party tools
- changing website form sending method
Step 3: Increase enforcement gradually
When you’re confident legitimate senders are passing, you move to:
p=quarantine(partial, then more)- then
p=reject(again, gradually)
This is the “don’t break email” part. You do not jump straight to reject unless you’re sure.
DMARC tags you’ll see (and what they mean)
p=
Your policy:
none(monitor)quarantine(spam/suspicious)reject(block)
pct=
Percentage of failing messages the policy applies to.
Example: pct=25 applies the policy to 25% of failing mail (great for gradual rollout).
rua=
Where aggregate reports go (highly recommended).
adkim= and aspf=
Alignment strictness:
r= relaxed (default; usually fine)s= strict (tighter matching; use when you really know what you’re doing)
sp=
Subdomain policy (if you want a different policy for subdomains).
The most common DMARC mistakes (so you can avoid them)
1) Publishing DMARC with no reporting
DMARC without reports is like installing a security camera that doesn’t record. You want visibility first.
2) Going straight to p=reject
This can break mail from platforms you forgot about (CRMs, booking tools, website receipts). Roll out gradually.
3) Forgetting your website sends email too
Many contact forms and ecommerce systems send mail. If those are not aligned (SPF/DKIM), DMARC enforcement will expose it.
“How do I know if DMARC is working?”
Signs you’re on track:
- DMARC record exists at
_dmarc.yourdomain.com - You are receiving reports (rua)
- Legitimate mail shows DMARC=pass in headers
- Over time, fewer unauthenticated sources show up in reporting
- When you move to quarantine/reject, nothing important breaks
Quick DMARC checklist (beginner-friendly)
- SPF is set up and correct
- DKIM is enabled for your mailbox provider and key platforms
- DMARC record exists with
p=noneto start rua=reporting is enabled- You reviewed what’s sending mail as your domain
- You increased policy gradually (
pct=is your friend)
DMARC FAQs
Will DMARC stop spam from being sent to me?
Can DMARC break my email?
p=none → fix alignment → gradual quarantine → gradual reject.Do I need DMARC if I already have SPF?
What email address should I use for DMARC reports?
[email protected], or a reporting service. The key is: reports should be monitored and not ignored.What’s the difference between quarantine and reject?
Reject: block failing mail (strongest protection)
Want NuStart to handle this for you?
If you’d rather not wrestle with DNS records, alignment, and testing, NuStart can audit your current setup and implement a clean, reliable Email Trust configuration end-to-end. Request an Email Trust Audit today to get started.
