Skip to content
tech

I Configured DMARC and Caught Someone Impersonating My Domain

·5 min read·5 views

I was getting reports I never asked for — and they told a disturbing story

A few weeks ago, I started receiving emails from providers like Google and Yahoo. Automated reports, with names like "Report domain: hubnews.ai". My first reaction was to ignore them. They looked like technical spam.

Then I opened one.

The report said, in essence: someone was sending emails using my domain. It wasn't me. It wasn't my server. They were IPs I had never seen in my life.

And I only found out because, weeks earlier, I had configured something called DMARC. Something I didn't even know existed.

What the hell is DMARC

If you're a dev and have never heard of DMARC, don't worry — neither had I.

DMARC is an email authentication policy. It works like this: you publish a DNS record telling the world how email providers should handle messages that claim to come from your domain but fail verification.

In practical terms: it's a rule that says "if someone sends an email pretending to be me, do X with that message."

There are other technologies involved — SPF and DKIM — that do the actual verification. DMARC is the one that decides what happens when verification fails. And as a bonus, it sends you reports about everything happening with emails from your domain.

It's like installing a security camera you didn't know you needed. You don't see the thief trying the door — until you install the camera.

Why would anyone impersonate you

That was my first question. I run HubNews, an AI-powered news platform with a newsletter. But I'm not a mega corporation. Who would want to pretend to be my domain?

The answer is simple: any domain will do.

Spammers and scammers use other people's domains to send phishing, spam, and malicious emails. They don't need to hack your server — they just send the email claiming it's "from" someone@yourdomain.com. If you don't have DMARC configured, nothing stops this. The receiving provider has no way to know that email is fake.

The result? Your domain lands on blacklists. Your legitimate emails go to spam. Your sender reputation goes down the drain. And you don't even know it's happening.

How to configure it — it's literally one line

This is the part that made me angry at myself. The configuration is ridiculously simple. It's a TXT record in your domain's DNS.

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:your@email.com; pct=100"

That's it. Seriously.

Let's break it down:

  • v=DMARC1 — protocol version (always this)
  • p=quarantine — the policy (what to do with emails that fail)
  • rua=mailto:... — where to send the reports
  • pct=100 — apply the policy to 100% of emails

You go to your DNS provider's panel (Cloudflare, Route53, GoDaddy, whatever), create the TXT record, and you're done. Takes 2 minutes.

The three policies: from "curious" to "maximum security"

DMARC has three policy levels, and you can escalate as you gain confidence:

none — Monitor only. You get the reports, but nothing happens to fake emails. It's the "tell me what's going on, but don't do anything yet."

quarantine — Failing emails go to the recipient's spam folder. It's the middle ground. The email doesn't reach the inbox, but it's not completely blocked either.

reject — Full block. Emails that fail verification are rejected. No spam, no inbox. Simply not delivered.

I started with quarantine. I wanted to understand what was happening before blocking everything — what if some legitimate service I use was failing verification?

The reports told the story

After configuring it, the reports started rolling in. Each one covers a period (usually 24 hours) and shows all IPs that attempted to send email using your domain.

My legitimate emails — sent through Hostinger — passed perfectly. SPF ok, DKIM ok, DMARC pass.

But alongside them were other IPs. Servers I didn't recognize, trying to send email as if they were my domain. And failing. Thanks to the quarantine policy, those emails were going to spam instead of reaching recipients' inboxes.

Without DMARC, those emails would have arrived normally. And whoever received them would have thought they were from me.

From quarantine to reject

After a few weeks of monitoring, it was clear: all my legitimate services were passing. The only ones failing were spoofing attempts.

I updated the policy:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=reject; rua=mailto:your@email.com; pct=100"

One word changed. From quarantine to reject. Now fake emails don't even arrive — they're rejected at the door.

What you should do right now

If you have a domain — any domain, with or without a newsletter, with or without an app — configure DMARC. Today.

Start with p=none if you want to be cautious. Read the reports for a week or two. Then upgrade to quarantine. Then to reject.

It takes 2 minutes to configure. Zero cost. And it gives you visibility into something that is probably happening to your domain right now — without you knowing.

I had no idea what DMARC was until I configured it. And then I discovered someone was impersonating me. The security camera I didn't know I needed ended up catching the thief trying the door.

Want to apply this to your project?

Career, code & digital product consulting.

Work with Billy
Billy

Billy

Full Stack Dev & Empreendedor Solo

Building products with code and AI. Creator of HubNews and Sistema Reino.

GitHubLinkedInTikTokWork with me →
Share:XLinkedInWhatsApp

You might also like

I Built a Shared Brain for Claude Code with Obsidian and GitI use Claude Code on 4 different machines. Each instance started from scratch, with no memory of what the others already knew. I fixed it with Git, an Obsidian notes folder, and a connector that ties it all together.I'm Shipping 3 Apps Simultaneously — Here's How I Automated EverythingManually configuring App Store and Google Play for each app is torture. Here's how I use Fastlane, ASC CLI, EAS, and GitHub Actions to automate screenshots, metadata, certificates, and deployments for 3 React Native apps at once.