DMARC stops one specific and dangerous class of phishing: mail that forges your exact domain in the From address. When you publish p=reject, a message claiming to come from billing@yourdomain.com that was not sent through your authorized infrastructure gets rejected at the receiving server before it reaches an inbox. That closes the door on classic domain spoofing and a large share of CEO-fraud. But DMARC only checks the domain in the visible From header, so it does nothing about lookalike domains, display-name spoofing, or phishing sent from a mailbox the attacker has already broken into.
Reads public DNS only. Nothing is stored unless you save the domain to an account.
The honest answer is that DMARC is necessary and powerful, but it is one layer. Below is exactly what it blocks, what it misses, and the complementary control for each gap so you can build real coverage instead of a false sense of safety.
What DMARC actually blocks
DMARC ties three things together: SPF, DKIM, and a policy that tells receivers what to do when a message fails both and is not aligned with your From domain. Alignment is the key idea. A message passes DMARC only when the domain that passed SPF or DKIM matches the domain in the From header the recipient sees. That match is what forgers cannot fake without access to your DNS or your DKIM private key.
Exact-domain spoofing
This is the attack DMARC was built for. Someone sends mail with From: ceo@yourdomain.com from a random server they control. Without DMARC, many receivers deliver it because SPF alone checks the hidden envelope sender, not the visible From. With p=reject, the receiver sees no aligned pass and drops the message. This is the single biggest win, and it is the reason how to stop email spoofing of your domain starts with DMARC.
CEO-fraud that forges your address
A lot of business email compromise relies on making the From line read as your real executive at your real domain. When the forged address is an exact match for your domain, DMARC at enforcement blocks it. This is a meaningful chunk of wire-fraud attempts, and it is free to shut down.
Malware and credential-harvest campaigns using your brand's domain
Bulk phishing runs that spray messages spoofing your domain to your customers or partners get filtered at scale once you enforce. That protects your recipients and your sending reputation at the same time.
What DMARC does not stop
Here is where teams get burned. DMARC checks the From domain and nothing else. Every attack that avoids forging your exact domain sails straight past it.
Lookalike and cousin domains
An attacker registers yourd0main.com, yourdomain-support.com, or yourdornain.com (with rn replacing m) and sends from it. DMARC on yourdomain.com never even evaluates this mail, because the message genuinely comes from a different domain the attacker controls and can authenticate. To your DMARC record, that domain is simply not yours.
The complementary control is defensive registration of the closest typo variants, brand monitoring that watches for newly registered lookalikes, and recipient-side filtering that scores unfamiliar domains. BIMI and a verified logo also help here indirectly: once recipients learn to expect your logo on authenticated mail, a lookalike with no logo looks wrong.
Display-name spoofing
The From header has two parts: a display name and the actual address. An attacker sends From: "Your CEO" <attacker@gmail.com>. The address is a real Gmail account that passes DMARC for gmail.com, so nothing fails. The victim sees only "Your CEO" in most mail clients. DMARC has no opinion about display names.
The complementary control is at the mailbox provider and gateway: display-name impersonation rules that flag internal executive names arriving from external domains, plus user training to check the actual address.
Compromised-account phishing
If an attacker phishes one of your employees, steals the password, and logs into the real mailbox, their outbound mail passes SPF and DKIM and DMARC perfectly, because it is genuinely being sent through your authorized system. DMARC authenticates the domain, not the intent. This is the hardest gap and the reason account takeover is so valuable to attackers.
The complementary controls are multi-factor authentication, impossible-travel and anomaly detection, and phishing-resistant login for the accounts themselves. DMARC cannot see inside an authenticated session.
Inbound phishing you receive
DMARC on your domain protects other people from mail forged as you. It does not protect your employees from phishing that arrives in their inboxes from other domains. That is the job of your inbound gateway, link rewriting, sandboxing, and attachment scanning.
The yes / no matrix
| Attack | Does DMARC (p=reject) stop it? | Control that closes the gap |
|---|---|---|
| Exact-domain From spoofing | Yes | DMARC itself |
| CEO-fraud forging your domain | Yes | DMARC itself |
| Bulk phishing spoofing your domain | Yes | DMARC itself |
| Lookalike / cousin domain | No | Defensive registration, brand monitoring, BIMI |
| Display-name spoofing | No | Gateway impersonation rules, user training |
| Compromised-account sending | No | MFA, anomaly detection, phishing-resistant auth |
| Inbound phishing from other domains | No | Inbound gateway filtering, sandboxing |
The pattern is clear. DMARC owns the "someone forged our exact domain" column completely, and owns none of the others. Both facts matter.
Getting DMARC to the point where it stops anything
DMARC only blocks at p=reject or, partially, at p=quarantine. A record of p=none is monitoring only and stops zero phishing; it just collects reports. Many domains publish p=none and never move, which means they get the visibility but none of the protection. The full progression is covered in DMARC policy: none vs quarantine vs reject.
A working enforcement record looks like this:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s; fo=1
Before you set p=reject, make sure every legitimate sending source passes with alignment, or you will block your own mail. That means correct SPF and DKIM, then a staged rollout described in how to set up DMARC. Rushing to reject before your sources are aligned is the most common way teams break invoices, newsletters, and helpdesk replies.
Alignment is what makes it real
A message can pass raw SPF and still fail DMARC if the SPF domain does not align with the From domain. Strict alignment (adkim=s; aspf=s) is the tightest posture and prevents subdomain tricks, but relaxed alignment is fine for most senders. The point is that a bare SPF pass is not a DMARC pass, and only DMARC alignment gives you the anti-spoofing guarantee.
Where DMARC fits in layered defense
Think of it as three concentric rings. DMARC secures the outermost ring: it stops the world from impersonating your exact domain. Domain monitoring and defensive registration handle the next ring of lookalikes. Account security, gateway filtering, and user awareness handle the inner ring where the attacker no longer needs to forge you at all.
Deploy DMARC first because it is free, high-impact, and required by Google and Yahoo bulk sender rules. Then layer the rest. A domain at p=reject with MFA on every mailbox and a gateway that flags display-name impersonation covers the vast majority of real-world phishing that targets or abuses your organization. Skipping any one ring leaves an obvious hole.
Frequently asked questions
Does DMARC stop all phishing?
No. It stops phishing that forges your exact domain in the From address once you set p=reject. It does not stop lookalike domains, display-name spoofing, or phishing from a compromised account, because those either use a different domain or a genuinely authenticated one.
Is p=none enough to protect against spoofing?
No. p=none is monitoring only. It tells receivers to take no action and simply sends you reports. Attackers who forge your domain still reach inboxes. You only get protection at p=quarantine or p=reject.
Can attackers still spoof my brand with DMARC at reject?
Yes, by not spoofing your exact domain. They register a similar-looking domain or put your name in the display field while sending from their own address. DMARC never evaluates those, so you need domain monitoring and gateway impersonation rules to cover them.
Does DMARC protect my employees from incoming phishing?
Not directly. DMARC on your domain protects other people from mail forged as you. Inbound protection for your staff comes from your mail gateway, link and attachment scanning, and MFA, not from your own DMARC policy.