What is this?
DMARC (Domain-based Message Authentication, Reporting & Conformance, RFC 7489) is the bracket around SPF and DKIM. It tells receiving mail servers what to do when a message claims to come from your domain but neither SPF nor DKIM confirms it: deliver, move to spam, or reject.
Additionally, DMARC requires the signing domain to match the visible sender domain (alignment). That eliminates an entire class of phishing tricks where attackers sign their own domain and spoof the From line.
When do I need it?
As soon as you send mail at all - that means every company with its own domain, from a sole proprietor to a GmbH. Without DMARC, anyone can send phishing mail using your domain as the sender, and your recipients have no signal that it did not come from you.
Rollout works in three steps, 4-8 weeks each: p=none (observe only, no blocking), p=quarantine (spam folder), p=reject (block entirely). Only advance when the reports show that all your sending sources sign cleanly.
Should already be in place
- SPF record published
- DKIM enabled at your mail provider (usually one click in the dashboard)