How can DMARC prevent domain spoofing?

DMARC tells receiving servers what to do with messages failing authentication that claim to be from your domain. Enforcement policies (quarantine or reject) prevent spoofed messages from reaching recipients.

Prevention mechanism: when someone tries to send as your domain without authorization, their message fails **SPF** (wrong server) or **DKIM** (no valid signature). **DMARC policy** instructs receivers to quarantine or reject these failures rather than delivering them.

Effectiveness requires enforcement. **DMARC** policies of **p=none** monitor but don't prevent **spoofing**. Only **p=quarantine** or **p=reject** actively protect. Move toward enforcement after monitoring shows legitimate sends are properly authenticated.