Email Security

What is DMARC?

A plain-English guide for small business owners who want to stop criminals from sending fake emails that look like they came from your company.

The problem DMARC solves

Without DMARC, anyone on the internet can send an email that claims to be fromyou@yourbusiness.com. They do not need access to your email account. They do not need your password. Email was designed in the 1970s and the original protocol has no built-in way to verify who the sender really is.

This is how phishing attacks work. A criminal sends an invoice to your customer with your logo, your name, and your email address in the From field. The customer pays. You never see the money.

DMARC — Domain-based Message Authentication, Reporting and Conformance — is a DNS record that tells every receiving mail server in the world what to do when an email claiming to be from your domain fails authentication checks.

The three DMARC policies

p=noneMonitor only

Collects data but delivers everything. Zero protection against spoofing. Use this only while you are auditing your mail flow — never as a permanent setting.

p=quarantineSend to spam

Emails that fail authentication go to the recipient's junk folder instead of their inbox. Good intermediate step before moving to reject.

p=rejectBlock entirely

Emails that fail authentication are rejected outright — they never reach the recipient at all. This is the gold standard and what you should be aiming for.

How to implement DMARC safely

The only risk with DMARC is moving too fast. If you jump straight top=rejectbefore you have identified all your legitimate email senders — your CRM, your accounting software, your newsletter platform — those tools will have their emails rejected too.

  1. Add a p=none DMARC record with a rua= reporting address
  2. Wait 2–4 weeks and read the aggregate reports to find every service that sends email on your behalf
  3. Ensure each one has a valid SPF entry and is DKIM-signing your mail
  4. Move to p=quarantine, monitor for a week
  5. Move to p=reject

Frequently asked questions

Do I need DMARC if I already have SPF?

Yes. SPF stops certain spoofing techniques but it cannot stop "header from" spoofing on its own. DMARC adds the enforcement policy that makes SPF and DKIM actually meaningful — without it, a passing SPF check still does not tell the receiving server to reject the bad email.

Will DMARC break my email?

Only if you skip the monitoring phase. Start with p=none and a reporting address, audit your senders for 2–4 weeks, then step up to quarantine and reject. Done in order, DMARC has no impact on legitimate mail.

What does p=none actually do?

Nothing protective. It collects reporting data while delivering all email regardless of authentication. Attackers can still spoof your domain. Think of it as a temporary observation window, not a finished implementation.

How do I check if my domain has DMARC?

Scan your domain with CQwerty Shield below — you will see your current DMARC policy, SPF record, and overall email security grade in one free report.

Check your DMARC record now

CQwerty Shield checks DMARC, SPF, SSL, DNS and breach exposure in one free report. No signup, no credit card.

Scan my domain — free →