Home/Knowledge Hub/DMARC: What Happens When Someone Fakes Your Email Address
← Back to Knowledge Hub

DMARC: What Happens When Someone Fakes Your Email Address

Email Security·June 3, 2026·6 min read

DMARC tells email receivers what to do when SPF or DKIM checks fail, stopping spoofing and protecting your brand. Learn how to set it up correctly.

What Is DMARC

You run a small business. Your domain is your identity online. Now imagine someone sends an email pretending to be you, and it lands in your customer's inbox. The customer trusts your domain—so they might click a link, open an attachment, or hand over sensitive information. To an inbox, an email address is just a name; trust has to be proven.

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is a policy you publish so that receiving email servers know exactly how to handle messages that claim to be from your domain but fail basic authentication checks. Think of it as a final decision-maker: after SPF (who's allowed to send) and DKIM (cryptographic signature) have spoken, DMARC steps in and says, "Here's what you should do—and please send me a report about what you saw."

Without DMARC, anyone can type your domain into the "From" field, and the world's email servers have no consistent way to know if they should deliver, quarantine, or reject that message. DMARC gives you control over the outcome and visibility into who is using (or abusing) your domain.

Real-World Analogy

Think of DMARC like a set of instructions you post at your office's mailroom desk for handling incoming packages. You've already told the delivery companies (SPF) which trucks can drop off packages, and you've required a special coded seal on each box (DKIM). DMARC is the sign you hang up: "Dear mailroom, if a package doesn't have the right truck or the right seal, here's what to do: let it through with a note, send it back, or throw it away. And please email me a daily report of every package you processed."

How DMARC Works

Here's what happens, step by step, in a way anyone can picture.

When an email arrives claiming to be from your company, the receiving server looks up your domain's published rules. It checks two things: was this message sent from a server you authorized (SPF), and does it carry a valid digital signature that hasn't been tampered with (DKIM)? If either check passes and the domain used in that check aligns with your domain, the email is considered authentic under DMARC. If not, the receiving server looks at your DMARC policy for instructions: treat it normally but report it (p=none), send it to spam (p=quarantine), or reject it outright (p=reject). In the background, you get reports—imagine a daily email summary listing who sent email on your behalf and whether those messages passed or failed.

This process happens in milliseconds, before the email appears in anyone's inbox. Your policy lives in a DNS TXT record at a special address (), which is like a public bulletin board that email servers all over the world can check.

```

```

Technical Details
— the version marker; must be exactly this.
— the policy: (monitor only), (send to spam), (block entirely).
— where aggregate reports (daily summaries) are sent.
— where forensic reports (detailed failure samples) go; optional.
— percentage of suspicious messages to apply the policy to (use 100 for full protection).
— alignment mode for DKIM: (strict) or (relaxed). Strict requires an exact domain match.
— alignment mode for SPF: (relaxed) allows subdomain matching; requires exact match.

Why It Matters for Your Business

When DMARC is set up correctly, your legitimate emails are far less likely to be spoofed. That means your customers can trust messages from your domain, your brand reputation stays intact, and your sales, support, and marketing emails actually land in inboxes instead of spam folders. It also helps you meet compliance requirements that many industries and insurance policies now expect regarding email security.

When DMARC is missing or misconfigured, the consequences are quiet but serious: phishing attacks impersonating your business can reach your customers and partners, your domain can be blacklisted by email providers without you knowing, and your own campaigns may see deliverability problems because receivers simply don't trust unauthenticated mail. You might not even notice until a client forwards a strange email they received from "you."

This isn't just an IT issue. Any team that relies on email—marketing sending campaigns, sales reaching prospects, support responding to customers—should care. When a customer gets a fake invoice from your domain, it's your business's reputation that suffers, not just your mail server's.

Common Issues and Warning Signs

DMARC problems often reveal themselves indirectly. Because DMARC reports are the only window into what's actually happening, the biggest warning sign is that you've never seen a report—or you don't even know if you have a DMARC record. A TechSpy scan might flag a missing policy or a "p=none" setting that provides only reporting without protection, leaving your domain vulnerable.

Other symptoms show up in day-to-day business: a sudden drop in email deliverability for no obvious reason, customers forwarding you phishing emails that appear to come from your own address, or your IT team discovering your domain on a spam blocklist. These are all clues that someone is taking advantage of the fact that you haven't told the world what to do with unauthorized messages.

Common Issues

Your TechSpy scan shows "No DMARC record found" or "Policy: p=none" with no scheduled move to quarantine/reject.
You've started receiving phishing complaints from people you didn't email, using your exact domain.
Marketing emails that used to arrive suddenly land in spam—even for known recipients.
Your domain appears on public blacklists (check via MXToolbox or similar) without any obvious sending issues.
You've never seen a DMARC aggregate report (a daily XML file sent to your rua address).
You added a third-party email service (like a CRM or marketing tool) and didn't update SPF or DKIM first, causing DMARC failures.

How to Fix or Improve DMARC

DMARC is a journey, not a switch. You can start today with a reporting-only policy that costs nothing and causes no delivery changes, then gradually tighten the policy once you're sure your legitimate mail passes authentication. The record lives at as a TXT entry in your DNS control panel.

If you manage your DNS directly, follow the steps below. If someone else manages it (an IT contractor, your hosting provider, or a partner), forward this article to them along with your TechSpy scan results and ask them to implement the reporting phase first.

After implementing DMARC, you've not only stopped impersonation before it reaches your customers but also gained a dashboard of who's really sending email from your name. That's something every business owner should have.

<!-- self-check: layer1_readable=true | fix_doable=true | no_padding=true | jargon_expanded=true -->

1Create a DMARC record that only reports, with no enforcement: . Replace the email address with one you monitor (or a dedicated mailbox). Add this as a TXT record at .
2Wait at least two weeks and collect the daily aggregate reports. Use a free DMARC report analyzer (many are available) to see which IP addresses and services are sending email on your behalf.
3For every legitimate service you see (Google Workspace, Microsoft 365, your CRM, your marketing tool, your transactional email provider), verify that they pass SPF or DKIM with proper alignment. Usually this means adding the service's sending IPs to your SPF record or configuring DKIM signing in their dashboard.
4Once all your legitimate senders pass consistently, change the policy to (move failing mail to spam) first. Monitor for a week to ensure nothing critical breaks.
5Finally, move to and set to fully protect your domain. Keep monitoring reports indefinitely.
6Run a TechSpy scan afterward to confirm your DMARC record is live and your policy is enforced correctly.

See how your domain's configuration stacks up.

Get a free scan — no sign-up, no credit card.

Scan Your Domain Free →