How to Explain DMARC to Your Boss

Written by
Edward Ma

March 7, 2024

ICYMI and live on a remote island free of email chatter: Two giants of email, Google and Yahoo, announced that every bulk email sender needs to have a clear DMARC policy in place, pronto, among a few other requirements. Having a policy went from being a you-really-should best practice to being a requirement. So there’s never been a better time to implement a policy that will reinforce trust in your brand.

In simple terms, DMARC is like a digital checkpoint for your emails that confirms they are from the correct organization and not someone pretending to be you. 

A Few of Our Favorite Acronyms 

  • Sender Policy Framework (SPF) is an authentication process that includes the IP address that you are authorized to send from. 
  • Domain Keys Identified Mail (DKIM) identifies your domain with a specific and approved cryptographic signature, which ensures mail traffic is legit.  
  • Domain-Based Message Authentication Reporting & Conformance (DMARC) is the authentication protocol that checks both SPF and DKIM. You can designate rules on what to do if mail fails these authentication steps. 
    • REJECT is the policy that bounces or discards any emails that fail DMARC. 
    • QUARANTINE is the policy that doesn’t completely reject the email but recommends the message be moved to the spam folder.  
    • NONE is a policy that gives a report on the results, but doesn’t take any actions if the authentication steps fail.

How It Works

As an email is being sent, there are multiple steps of authentication that it needs to go through before it hits any inbox. When the Email Server gets the signal that an email is being sent, it pings the SPF, DKIM, and DMARC records.

If SPF and DKIM pass, then it passes DMARC.
If SPF fails but DKIM passes with alignment, DMARC still passes.
If SPF passes with alignment but DKIM fails, DMARC still passes.

A Little Analogy To Help with Lift Off

DMARC procedures can be compared to navigating through airport security.

  • SPF might be your ID that you flash at check in. 
  • DKIM is like your ticket to ensure that you are actually getting on the right flight.
  • DMARC is your airport security person, looking at both your ID and ticket to let you through to the gates.

Now, let’s imagine three types of airport security policies:

  1. None Policy: This is like an airport with no security checks. Anyone can enter, representing emails sent with no strict security measures. 
  2. Quarantine Policy: Similar to an airport with some security measures, unclear identifications are checked before proceeding. It offers a second check before reaching the destination.
  3. Reject Policy: This is a strict airport with rigorous security checks. If an identification is suspicious, the person isn’t allowed through.

What’s Next?

Prioritizing DMARC and setting a clear policy isn’t just about securing your emails. It’s about fortifying your brand and becoming more trustworthy to your subscribers. And we wouldn’t be surprised if it was normalized for every domain and IP in 2024.

If you have any questions about email deliverability or interested in a trial to understand how your DMARC policy is looking, feel free to reach out at

Related Articles

The State of the Newsletter Economy in 2024

The State of the Newsletter Economy in 2024

“Newsletter is a generic, tired word” – that’s how Drew Price, Grammarly’s first Head of Product Marketing & Brand lead, started a recent post he shared on LinkedIn.   “Not everyone can create a flagship concept that serves as a core product experience and...

The Monster Guide to Sending Frequency

The Monster Guide to Sending Frequency

Email can seem like a powerful elixir to boost sales. For some in your company, it might seem like more sending = more revenue. But striking the right cadence or sending frequency is actually a little more nuanced if you want to protect deliverability and the bottom...