The concept is simple, when you send an email and it gets received by the destination server, that server will check whether you have DMARC configured and if so, it will verify two things:
- that the email came from a source authorised by you and
- that the email has been signed with a key that you own
It the email passes a minimum of one of these two validations, the receiving server will let the email through.
In the case that the email comes from a malicious source, it will not be able to pass any of these validations. In that case, if your DMARC record says the email should be rejected, the receiving server will follow the instructions. On a periodic basis the receiving servers will send a report to OnDMARC with the number of emails passing and failing DMARC validation.
You can also check out our video that explains how DMARC works.