DMARC builds on SPF and DKIM and tells receivers what to do when a message claims to be from your domain but fails authentication.
The core idea
Every email has a visible "From" address (e.g. invoices@yourbank.com) and a hidden envelope sender. SPF and DKIM check the hidden one. DMARC adds an "alignment" check: the visible domain must match the authenticated one. Without alignment, attackers can pass SPF and DKIM with their own domain while still spoofing yours.
Three policy modes
- p=none — monitoring only; no enforcement
- p=quarantine — failing mail goes to spam
- p=reject — failing mail is dropped before delivery
What ShieldMarc does
We aggregate every DMARC report receivers send back about your domain, score each sender, and tell you when alignment is high enough to safely move from p=none to quarantine to reject.