How can DMARC prevent domain spoofing?

DMARC tells receiving servers what to do with messages failing authentication that claim to be from your domain. Enforcement policies (quarantine or reject) prevent spoofed messages from reaching recipients.

Prevention mechanism: when someone tries to send as your domain without authorization, their message fails SPF (wrong server) or DKIM (no valid signature). DMARC policy instructs receivers to quarantine or reject these failures rather than delivering them.

Effectiveness requires enforcement. DMARC policies of p=none monitor but don't prevent spoofing. Only p=quarantine or p=reject actively protect. Move toward enforcement after monitoring shows legitimate sends are properly authenticated.