You know how when you send a letter in the physical mail, there’s nothing preventing you from just… writing a different return address on the envelope? For example, I could send you a Christmas Card, but write address of Disney Land for my return address on the envelope. That letter will go through the postal system and arrive in your mailbox just fine. In this case, you may or may not notice my joking return address. But you can imagine a scenario where this is more sinister, for example if I wrote that you’d won a drawing for a free stay at Disney Land — I just need your personal details to get you the tickets. Then, it would become crucial for you to notice that this letter is a fake.
It turns out, it’s just as easy to write a different “return address” on an email, and represent yourself as someone else. To combat this, a system called DMARC came into being. DMARC instructs email inboxes that they shouldn’t believe any email actually came from you unless they metaphorically take that letter, go over to the return address, knock on the door, hold up the letter and say “Did you really personally send this?” Just like that, spoofers and spammers can no longer pretend to be you when they write their scam letters.
But there are some complications that can occur with DMARC. Think about how many locations emails “from you” are sent from — your email inbox, of course, but very likely you also have a website contact form that sends you messages utilizing your domain as a return address. You also very likely have an email list managed by an email campaign software like MailChimp or ConstantContact. Integrating with these services with DMARC enabled requires the help of a dev, because when DMARC gets a message from MailChimp that says it was sent from you, it will throw it out unless Mailchimp’s address is also on file as a door it should knock on to double check with.
Once set up, DMARC will always know that MailChimp emails are valid to accept as being from you, but if you ever wish to change email campaign services, or validate another source to send emails on your behalf, you will need to get a dev briefly involved to update your DMARC records for you.
In truth, most one person businesses opt not to use DMARC, preferring the ease of integrating with new email services and calculating that because of the size and type of their business, most spammers will find it isn’t worth their time to try and pretend to be them.
However, no matter your size — if you have a website where people can create an account or otherwise store personal information, you shouldn’t hesitate to set up DMARC, as you do not want anyone pretending to be your website and asking people to validate their login details!