In plain English
DMARC stops criminals from sending phishing emails that appear to come from your domain. Without it, anyone can craft an email claiming to be from your company — your suppliers, customers, and staff will receive it with your brand on display. A DMARC policy at 'reject' enforcement means those spoofed emails are silently discarded before reaching the inbox.
Full definition
DMARC has three enforcement policies: 'none' (monitor only — emails still deliver), 'quarantine' (suspicious emails go to spam), and 'reject' (spoofed emails are blocked entirely). Organisations should progress through these stages, monitoring DMARC reports to identify legitimate sending sources before moving to enforcement.
DMARC works in conjunction with (which specifies which mail servers are authorised to send email for your domain) and (which adds a cryptographic signature to outgoing emails). All three should be configured correctly before moving DMARC to enforcement.
The recommends DMARC implementation as a baseline email security control. Many enterprise procurement requirements and policies now specify DMARC 'reject' as a prerequisite.