DNS & email authentication

DMARC (Domain-based Message Authentication)

What a DMARC policy does, why `p=none` leaves your domain unprotected from spoofing, and how WebGuard reviews your record.

Last updated June 9, 2026

What it is

DMARC is a DNS record that ties SPF and DKIM together: it tells receiving servers what to do with mail that claims to be from your domain but fails authentication, and where to send reports about it. Policies range from `p=none` (monitor only) to `p=quarantine` and `p=reject` (actively block spoofed mail).

Why it matters

DMARC is the control that actually stops impersonation of your domain. A record stuck at `p=none` collects reports but blocks nothing, so spoofed phishing still reaches inboxes. Many organizations publish DMARC and never move past monitoring, and surfacing that gap is one of the highest-value email findings, especially as major mailbox providers now require DMARC for bulk senders.

How WebGuard checks it

WebGuard performs a read-only DNS lookup of your `_dmarc` record and reports whether it exists and whether its enforcement policy is set to monitor only or to actively quarantine/reject. It is a DNS lookup only, and no mail is touched.

A sensible starting configuration:

v=DMARC1; p=reject; rua=mailto:dmarc@your-domain.com

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.