RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)
ELI5: DMARC builds on SPF and DKIM: it tells receivers what to do with mail that fails authentication and sends you reports. It also checks that the authenticated domain lines up with the visible From: — and a subdomain aligns with your root domain.
Why This RFC Exists
SPF and DKIM each authenticate a domain, but nothing tied them to the visible From: address or told receivers how to act on failures. DMARC does both.
Alignment and policy
DMARC passes when SPF or DKIM passes and the authenticated domain aligns with the From: domain. A published policy (p=none|quarantine|reject) tells receivers how to treat failures, and aggregate reports show you who's sending as you.
Why subdomains still align
Under relaxed (organizational) alignment, a sending subdomain like mtg.example.com aligns with a DMARC policy on example.com — so you get the deliverability of a dedicated subdomain while keeping your root-domain From:.
Practical guide
For the hands-on setup, see Why you should use a subdomain for sending email.