DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a DNS-based policy that tells receiving mail servers what to do when SPF or DKIM checks fail for messages claiming to be from your domain: do nothing (p=none), quarantine (p=quarantine), or reject (p=reject). DMARC records also specify where to send aggregated reports (rua=) and forensic reports (ruf=) so domain owners see who's sending mail on their behalf. Best practice: start at p=none for monitoring, fix any legitimate senders that fail, then escalate to p=quarantine and eventually p=reject. Major providers (Gmail, Yahoo) now require DMARC for bulk senders.