For an email message to be considered DMARC-compliant, the domain found in the “From:” header must match the domain validated by SPF or the source domain found in a valid DKIM signature. If the domains match and at least one of the two mechanisms succeeds verification, receivers can safely say that the email legitimately comes from the specified domain.
* If SPF or DKIM is absent, this individual check will fail, leaving only the other to result in a pass. If SPF and DKIM are absent, automatic DMARC fail.
A DMARC policy allows a domain owner to indicate that their messages are protected by SPF and/or DKIM and tells the recipient what to do if none of these are verified on a particular piece of email, such as marking it as junk mail or rejecting delivery of the message. Domain owners can set their DMARC policy (referred to as “p=”) to determine what is done to non-compliant email:
Monitoring (p=none) no impact on mail flows (only DMARC feedback is collected)
Quarantine (p=quarantine) messages that fail DMARC (e.g. move to the spam folder)
Reject (p=reject) messages that fail DMARC (don’t accept the mail at all)