DMARC

How it works

You publish a DMARC record in DNS with a policy of monitor, quarantine, or reject. Receiving servers check whether a message passes SPF or DKIM and is aligned with your domain, then apply your policy and send you aggregate reports. Moving from monitor to reject is what actually blocks spoofed mail.

DMARC protects your exact domain, but not lookalike domains, which is its main limitation.

How it relates to brand impersonation

DMARC shuts the door on direct spoofing of your domain, which pushes attackers toward lookalike domains instead. That is exactly the gap domain monitoring and takedowns fill.

How nebty helps

DMARC is yours to deploy on your domain, and our email spoofing guide explains how. nebty covers the part DMARC cannot: the lookalike domains attackers fall back to once your real domain is locked down.

Getting to an enforcing policy

A DMARC record is only as useful as its policy, and most domains stall before the policy does anything. You start at p=none, which monitors and reports but blocks nothing, so you can see every legitimate service that sends as you: your mail provider, your invoicing tool, your marketing platform. The work is bringing each of those into SPF and DKIM alignment, then moving the policy to quarantine and finally reject, the only setting that actually stops a spoofed message. Many organisations get stuck at none for years and gain no protection. Two cautions: enforcement only covers your exact domain, not lookalikes, and a sloppy rollout can break legitimate mail, so use the aggregate reports to verify before you tighten. Once your own domain is locked, lookalike sender domains are the remaining gap, and that is monitoring territory.