Customers, suppliers and staff often treat the domain in an email’s From address as a sign of identity. Without aligned authentication and a published DMARC policy, the domain owner has less visibility into how participating receivers evaluate messages using that exact domain.
DMARC creates a controlled way to observe that use, correct legitimate senders and ask receiving systems how to handle failures. It helps reduce exact-domain spoofing risk; it does not stop every form of phishing or fraud.
Check your domain · How DMARC works
Four reasons to evaluate DMARC
See the sending surface
Aggregate reports can reveal services observed using the domain and show whether SPF or DKIM aligns.
Create clear ownership
A sender inventory connects mail systems, DNS changes and business owners instead of treating authentication as an isolated record.
Correct legitimate mail deliberately
Evidence helps teams fix return-path or signing configuration before requesting stronger receiver handling.
Maintain a receiver-facing policy
The domain owner can publish a monitoring or enforcement request and continue reviewing change over time.
What the control covers
DMARC evaluates whether SPF or DKIM passes and aligns with the visible From domain. It supports a requested handling policy and reporting. A receiving system can still apply local policy, and authentication success does not prove that a message is safe or wanted.
What it does not replace
DMARC does not protect a compromised mailbox, inspect links or attachments, encrypt content, stop lookalike domains or guarantee delivery. Mailbox access, inbound filtering, staff processes, data protection and incident response require separate controls.
A safe adoption path
- Confirm who owns the domain, DNS and mail decisions.
- Inventory business mail and third-party senders.
- Validate SPF and DKIM for each legitimate path.
- Publish a valid monitoring policy with an approved report destination.
- Review evidence across normal and periodic sending.
- Progress policy only when unresolved legitimate sources and delivery risks are understood.
- Continue monitoring after every change.
Inventory → authenticate and align → monitor and progress
Read the policy progression guide
Who should own the work
The organisation remains responsible for authorising its domains and senders. Internal IT, an MSP or a specialist provider may coordinate DNS, reporting and remediation when responsibilities and approvals are clear.
Vigil supports assessment, aggregate-report processing, source identification, authentication review, monitoring and evidence-based policy progression. Exact delivery and commercial scope are agreed separately.
FAQ
Is DMARC only for large organisations?
No. The relevant question is whether a domain is used for business email and who can manage its authentication. The operating effort depends on the number and complexity of legitimate senders.
Will publishing DMARC interrupt email?
A valid monitoring policy expresses no requested handling for failures. Stronger policies can affect unauthenticated legitimate mail, which is why evidence and staged change matter.
Does an inbound email filter replace DMARC?
No. Inbound filtering protects a receiving environment; DMARC publishes authentication and policy information for other participating receivers evaluating use of your domain.
Does DMARC stop all impersonation?
No. It addresses unauthorised use of the exact visible From domain, not lookalike domains, display-name abuse or compromised accounts.
Can a provider manage it?
Yes, when the provider is authorised and the responsibilities for DNS, mail-platform changes, report review and policy decisions are explicit.
Start with public evidence
Check what the domain publishes now, then map the result to the systems authorised to send.