What is DMARC?
DMARC is an email authentication protocol used to help prevent forgeries and spoofing. DMARC extends two other email authentication protocols, DKIM and SPF, and allows an administrator to specify which of those protocols is used for a given domain, allow spoofed, forged, and unauthorized emails to be blocked or quarantined.
You can read all about DMARC here in this Wikipedia Article.
Another one? Aren't SPF and DKIM enough?
I'm afraid that they are not. They help with making sure emails aren't modified in transit and that they come from servers with permission to send for a domain, but neither of them is able to specify that those particular types of authentication are required. So if one or both are missing, then the receiving email filters cannot tell if that's on purpose or if it's because of a forgery.
DMARC looks at the results of the SPF and DKIM checks.
In order for DMARC to pass, neither SPF nor DKIM may fail, and at least one of the two must show proper identifier alignment. Identifier alignment is where the domain name in the "From:" header matches the domain in the DKIM signature, or the domain name in the SMTP Envelope sender matches the SPF records for the domain.
First, be sure you've set up SPF and DKIM!
Done doing SPF and DKIM? Here's what you need to do - another DNS record:
A DMARC record is a TXT record - just like DKIM and SPF use.
A very simple DMARC record might look as simple as this:
_dmarc.<domain> TXT v=DMARC1; p=reject;
There's a lot more you can do with DMARC, if you want. The p (policy) could be "quarantine" or "reject" or "none". You can apply the DMARC restrictions to a percentage of your mail, with something like "pct=50" You can have reports sent to a reporting address ("ruf=mailto:firstname.lastname@example.org").
If you'd like pretty reports of failures and the like, you can use a service like Dmarcian. It's mostly used by large outbound senders, and those with security needs, like banks and financial institutions.
And while you're at it, why not set up an ADSP record too?
_adsp._domainkey.domain.com. IN TXT "dkim=all"
So give it a try - it won't do much for your outbound mail, but it helps clean up your inbound mail, and that's always a good thing.