Mail authentication, explained without jargon.

Since February 2024, Google, Yahoo and Microsoft enforce DMARC on bulk senders. If you send more than 5,000 messages a day to any of them, you need a DMARC record — and crucially, the senders you're authorising have to align. Without alignment your transactional emails land in spam, your password resets bounce, and your customers complain that "your service is broken."

The other half of the story is impersonation. Email envelope-from is forgeable by design. DMARC is what lets your customers' mail server bounce a spoofed "CEO wire transfer" message before it ever shows up in an inbox. Every Fortune 500 brand has DMARC at p=reject. Most small businesses don't, which is exactly why phishing campaigns target them.

Three separate standards. They don't replace each other, they layer.

SPF can pass and DMARC can still fail. DKIM can pass and DMARC can still fail. The thing that matters is alignment: the domain that SPF or DKIM authenticated has to match (or be a subdomain of) the From: header domain — the one your user sees.

Example: SendGrid signs your message with DKIM using their own domain, d=sendgrid.net. Your From: says noreply@acme.com. SPF and DKIM both pass — but neither aligns with acme.com. DMARC fails. Receivers apply your policy.

The fix is "DKIM signing with a custom domain" (every ESP supports it). Once that's enabled, DKIM signs with d=acme.com, alignment works, and DMARC passes.

Don't jump to p=reject. You will block your own mail.

1. Start with p=none. Monitor only. Nothing breaks. You'll get reports.
2. Wait 7–14 days. Read DMARCify's dashboard. Every legitimate sender (your ESP, your CRM, your monitoring service) should show 99–100% SPF or DKIM aligned.
3. Fix the misaligned ones. Usually means: enable DKIM signing with a custom domain on each tool, add the right SPF includes, or switch the From: header to a domain you actually own.
4. Move to p=quarantine; pct=10. Quarantine 10% of failing mail. Watch for another week.
5. Ramp pct to 100 over 2–3 weeks. If nothing important breaks, switch to p=reject.

The whole rollout is typically 4–6 weeks for a clean estate. Longer if you have legacy tooling spraying mail from random vendors — DMARC has a way of uncovering forgotten integrations.

Forwarders break SPF (the source IP is now the forwarder's, not yours). They usually preserve DKIM. DMARC's "either passes is enough" rule was designed for exactly this case — but you still see failures in your reports because SPF failed.

DMARCify automatically detects this pattern (DKIM aligned + SPF broken) and groups those senders into a "Forwarded mail" bucket. Tools that don't do this show you a long list of "failing" IPs that are actually fine.

Once you're at p=reject (or quarantine with pct=100), you can publish a BIMI record — Brand Indicators for Message Identification. This is what makes your logo appear next to your messages in Gmail and Apple Mail. It requires a Verified Mark Certificate from a CA. DMARCify's BIMI assistant (shipping this quarter) walks you through it.