DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is a policy layer built on top of SPF and DKIM. It is published as a DNS TXT record at _dmarc.yourdomain.com and does two jobs: it enforces alignment and it generates reports about mail claiming to be from your domain.
Alignment is the key concept. SPF checks the envelope sender and DKIM checks its signing domain, but neither guarantees they match the From address a recipient actually sees. DMARC requires that a passing SPF or DKIM result align with the visible From domain, closing the spoofing gap that authentication alone leaves open.
A DMARC record specifies a policy with the p tag: none simply monitors, quarantine sends failing mail to spam, and reject blocks it entirely. Senders typically start at p=none to collect aggregate (rua) reports, confirm all legitimate sources pass, and then tighten to quarantine and reject once they are confident nothing legitimate will break.
Gmail, Yahoo, and Microsoft now require a valid DMARC record for bulk senders, so publishing one is mandatory for serious outreach. Beyond compliance, DMARC protects your brand from being impersonated in phishing, and its reports are the single best way to discover shadow sending sources you did not know existed.