A policy that tells receivers what to do when SPF/DKIM fail, and reports who’s sending as your domain. It ties authentication to alignment.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is published as a DNS TXT record at _dmarc.yourdomain.com. It builds on SPF and DKIM, adding two things they lack on their own: a stated policy for failures, and aggregate reports that show who is sending mail under your domain.
Alignment is the key idea
SPF and DKIM each authenticate a domain, but not necessarily the one a person sees in the From: field. DMARC requires alignment: it passes only when an authenticated domain matches the visible From: domain. DKIM aligns when the signature’s d= domain matches; SPF aligns when the envelope sender (the Return-Path) matches. A message passes DMARC if at least one of SPF or DKIM both passes and aligns. This is what closes the gap spammers exploit — a message can pass plain SPF or DKIM on some unrelated domain while still spoofing your From: address, and alignment is what rejects it.
How to roll it out
p=none— monitor only; receivers take no action but send you reports. Start here.p=quarantine— failing mail is treated as suspicious, usually routed to spam.p=reject— failing mail is refused outright. The end goal once you’re confident.
Read the aggregate (RUA) reports first, fix every legitimate sender so it aligns, then ratchet the policy up. For example, a team running support mail through a new provider stays at p=none until the reports confirm those messages align, then moves to quarantine and reject without risking real mail.
How Cherryrise fits in
Because Cherryrise signs replies with BYODKIM under your own domain, its outbound mail aligns for DKIM — so it keeps passing even under a strict p=reject policy. The end-to-end setup is in the deliverability guide, and the three records are compared in SPF, DKIM and DMARC explained.