How DMARC works in plain English
You publish a DMARC policy in DNS at _dmarc.yourdomain.com. The policy says one of three things: none (just monitor and report), quarantine (send to spam), or reject (refuse the message entirely). When a receiving server gets a message from your domain, it checks SPF and DKIM, and applies your DMARC policy to the result.
Why DMARC matters
Without DMARC, anyone can attempt to spoof your domain in their From address. With DMARC set to reject, receiving servers throw out impersonation attempts before they reach your customers. It is the strongest defence against phishing that uses your brand.
What does a DMARC record look like?
A DMARC TXT record at _dmarc.yourdomain.com looks like: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com. The p= field is the policy. The rua= field tells receiving servers where to send aggregate failure reports.
Start gentle, then strengthen
Best practice is to start with p=none and monitor reports for a few weeks. Once you confirm that all your legitimate senders are passing SPF and DKIM, move to p=quarantine, then eventually p=reject. Jumping straight to reject can cause legitimate messages to be lost.