DMARC is the policy on top of SPF and DKIM: it tells receiving mail servers what to do with mail that does not pass the checks — simply deliver it (none), quarantine it or reject it (reject) — and sends reports on who is mailing on behalf of your domain.

DMARC in practice

Without DMARC, SPF and DKIM are non-binding: a recipient sees that a mail is not right, but does not know what you want done with it. With a DMARC policy set to 'reject' you make sending fake invoices in your name practically impossible — a direct brake on CEO fraud and phishing aimed at your customers.

The mature route: start with policy 'none' and review the reports to see which legitimate systems are not yet properly set up, then scale up to 'quarantine' and 'reject'. This is part of the baseline security we set up under Microsoft 365 management.

Related terms

  • SPF — SPF (Sender Policy Framework) is a DNS record that sets out which mail servers are allowed to send email on behalf of your domain.
  • DKIM — DKIM (DomainKeys Identified Mail) adds a digital signature to every outgoing email that recipients can verify via DNS.
  • DNS — DNS (Domain Name System) is the system that translates domain names into the servers behind them: it determines where your website loads and where email for your domain is delivered.

Further reading

Part of the RiverFlows glossary · Updated . Missing a term? Let us know.