← Back to SendCanary

WTF is DMARC?

The short version.

When you send an email from your company, the person receiving it has no built-in way to verify it actually came from you. Anybody can send an email that says it's from jake@yourcompany.com. The "From" field in an email works like the return address on an envelope. Write whatever you want there. The post office delivers it anyway.

DMARC lets you publish a rule in your domain's DNS that says "here's how to check if an email from my domain is real, and here's what to do if it's fake." The acronym stands for Domain-based Message Authentication, Reporting and Conformance. You will never need to remember that.

Why should you care?

Because right now, someone can send your customers an email that looks exactly like it came from you. Your name, your domain, your logo in some inboxes. The email says "your invoice is attached" or "please update your payment method" and links to a fake login page. Your customer enters their password. Their money is gone. Your phone rings.

You didn't send the email. You didn't know it happened. Without DMARC, nobody tells you when someone uses your address.

How it works

Three pieces work together. You don't need to understand the mechanics. SendCanary handles all of this. But if you're curious, here's what's happening under the hood.

Authorized senders (SPF) is a list of services allowed to send email as your domain. Google Workspace, Mailchimp, whatever you use. When an email arrives claiming to be from you, the receiving server checks whether the server that sent it appears on the approved list.

Email signing (DKIM) attaches a digital signature to each email you send. The receiving server checks the signature against a public key in your DNS. If the signature matches, the email is untampered and came from an authorized source.

The policy (DMARC) ties the other two together. It tells receiving servers what to do when an email fails both checks. Three settings:

• Monitor (p=none) lets everything through but sends you reports about who's sending as your domain. Nothing changes about your email delivery. You're just watching. This is where you start.
• Flag (p=quarantine) marks failing emails as suspicious. They might land in spam. Most people skip this step entirely.
• Block (p=reject) kills fake emails before they reach your customer's inbox. This is where you want to end up.

Why does everyone suddenly care about this?

Google and Yahoo started requiring DMARC in 2024. If your domain doesn't have a DMARC record, your legitimate emails can end up in spam or get bounced entirely. Microsoft followed with similar requirements.

Before 2024, DMARC was a best practice. Now it's table stakes. If your emails are landing in spam or bouncing, a missing or broken DMARC record is probably why.

Why is this so damn confusing?

An entire industry makes money keeping it that way.

DMARC is three DNS records. You add them once. You watch reports for a few weeks to make sure your legitimate senders pass the checks. Then you set your policy to reject and you're done. The configuration is permanent unless you change how you send email.

What SendCanary does about it

You enter your domain. We scan it, detect your DNS provider and email provider, and show you what's missing. If your DNS provider supports one-click setup, one click handles it. If not, we give you the exact records to copy-paste and verify instantly.

We watch your reports for a week or two. We identify who's sending as your domain and show them to you by name. You confirm they're yours. We check that every sender will survive enforcement. If your newsletter service needs email signing configured, we tell you exactly what to do and link you to the right page in their admin console.

When everything checks out, you click one button. Your policy moves to reject. Fake emails stop reaching your customers. Your logo shows up in supported inboxes.

$249 for the first year. $10/month after that. Unlimited domains.