What it is
DMARC is a DNS record that ties SPF and DKIM together: it tells receiving servers what to do with mail that claims to be from your domain but fails authentication, and where to send reports about it. Policies range from `p=none` (monitor only) to `p=quarantine` and `p=reject` (actively block spoofed mail).
Why it matters
DMARC is the control that actually stops impersonation of your domain. A record stuck at `p=none` collects reports but blocks nothing, so spoofed phishing still reaches inboxes. Many organizations publish DMARC and never move past monitoring, and surfacing that gap is one of the highest-value email findings, especially as major mailbox providers now require DMARC for bulk senders.
How WebGuard checks it
WebGuard performs a read-only DNS lookup of your `_dmarc` record and reports whether it exists and whether its enforcement policy is set to monitor only or to actively quarantine/reject. It is a DNS lookup only, and no mail is touched.
A sensible starting configuration:
v=DMARC1; p=reject; rua=mailto:dmarc@your-domain.com