What is this
DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do with messages that fail SPF and/or DKIM. The record sits as TXT at _dmarc.yourdomain.com. Policy is none, quarantine, or reject.
Why it matters
Without DMARC, attackers can keep spoofing mail despite SPF and DKIM. With reject your domain is actively protected and you get aggregate reports on who is sending in your name.
How to fix it
TransIP: In DNS, add TXT at _dmarc with v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100; adkim=s; aspf=s. Start at p=none if you still need observation data.
CloudFlare: DNS > Records > TXT, name _dmarc, content v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com. Set aspf=s; adkim=s for strict alignment.
Strato or Antagonist: TXT record at host _dmarc with the same syntax. Make sure the rua address exists and can receive mail.
Other: Add a TXT at _dmarc.<domain>. Begin with p=none, monitor aggregate reports for 1 to 2 weeks, then move to quarantine and finally reject.
Verify
dig TXT _dmarc.yourdomain.com +short. Check a Gmail header test or use DMARC Analyzer Inspector. Within a week confirm rua reports are arriving.