How can DMARC reduce fake “from yourself” ransom emails?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've probably seen it. An email lands in your inbox, and the sender address is... yours. "I hacked your account," it says. "I have your passwords. Send Bitcoin or else." It's creepy, and it's designed to be. But here's the thing: that email didn't actually come from you. A scammer just faked your address in the "From" field.
This is called spoofing, and DMARC is one of the best tools for stopping it before it reaches anyone's inbox.
How DMARC blocks these fakes
DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do when an email claims to be from your domain but fails authentication checks. Those checks come from SPF and DKIM. Think of them as your domain's signature on every outgoing email. A spoofed ransom message sent from a scammer's server won't carry that signature, so it fails the checks.
When you have a DMARC policy set to quarantine or reject, the receiving server knows exactly what to do with that failure. Quarantine sends the email to spam. Reject drops it entirely. The fake "from yourself" email never makes it to the inbox.
But a none policy (the starting point most people use while setting things up) only monitors and reports. It doesn't block anything yet. That's fine early on, but it won't protect your recipients from spoofed messages until you move to enforcement.
The big catch: your domain has to have DMARC first
DMARC only protects your domain if you've published a DMARC record. If you're on a personal email address at a domain with no DMARC record (or one stuck at p=none), these spoofed ransom emails can still land. The receiving server has nothing to enforce.
Large providers like Gmail and Outlook have their own anti-spoofing filters that catch a lot of this, even without strict DMARC on your side. But if you own a domain, there's no good reason not to set up DMARC properly.
Before you flip to enforcement
Now one real risk worth knowing: if you switch your DMARC policy to reject before you've confirmed all your legitimate email sources are properly authenticated, you can accidentally block your own emails. Marketing platforms, CRMs, and third-party tools that send on your behalf all need to be covered by SPF or DKIM before enforcement goes live. Start at none, review the reports, confirm everything that should be passing is passing, then move to quarantine, then reject.
You can check how your DMARC record looks right now with our free DMARC Parser. If you're not sure where to start, our DMARC Generator will build the record for you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.