BetaJoin our early access program — 1 year free for founding members.Apply Now →
Nonprofits
6 min read

What Is DMARC? A Plain-Language Guide for Nonprofit Board Members

DMARC stops people from sending fake emails that look like they come from your organization. Here's what it is, why your nonprofit needs it, and how to set it up — no IT background required.

nonprofitsemail-securitydmarcboard-governancehow-to

If you serve on the board of a small nonprofit, someone has probably mentioned "email security" or "DMARC" in passing. Maybe it came up during a grant application. Maybe your bank asked about it. Maybe you read that over half of micro-nonprofit domains lack email authentication.

This guide explains what DMARC is, why it matters for your organization, and what to do about it — in terms that don't require an IT background.

The Problem DMARC Solves

Anyone can send an email that looks like it comes from your organization's domain. Right now. Without your permission.

If your nonprofit is Hope Animal Rescue and you own hopeanimalrescue.org, someone in another country can send an email that says it's from donations@hopeanimalrescue.org — and many email providers will deliver it. The recipient sees your name, your domain, and a request for money. There's nothing in the email itself that proves it's fake.

This is called spoofing. It's not hacking. The attacker doesn't need access to your accounts. They just need to know your domain name, which is public.

DMARC is the system that stops this.

What DMARC Actually Is

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. Forget the acronym. Here's what it does in practice:

DMARC is a rule you publish that tells every email provider in the world how to handle messages claiming to come from your domain.

You add a short line of text to your domain's DNS settings — the same place where your domain registrar manages your website address. That line says one of three things:

  • "Monitor" (p=none) — deliver the email, but send me a report so I can see who's sending as my domain
  • "Quarantine" (p=quarantine) — if the email fails authentication, put it in spam
  • "Reject" (p=reject) — if the email fails authentication, don't deliver it at all

That's it. DMARC is a published policy. It's not software you install. It's not a subscription. It's a single line in your DNS settings.

Why This Matters for Your Nonprofit

Small nonprofits are attractive spoofing targets. Here's why:

You ask people for money. Your donors are used to receiving emails from you with links to donate. A spoofed email with a fake donation link looks exactly like a real one.

Your domain is trusted. Community members, local businesses, and grant organizations recognize your name. A spoofed email from your domain carries that trust.

Nobody is watching. Large organizations have security teams monitoring for spoofed emails. Your nonprofit almost certainly does not. A spoofing campaign against your domain could run for weeks before anyone notices.

You handle personal data. Donor names, addresses, payment information, volunteer records. A successful phishing attack that starts with a spoofed email from your domain can lead to real data exposure.

What Happens Without DMARC

Without a DMARC policy, your domain is an open door. We analyzed 229,829 micro-nonprofits across the U.S. and found that over half of email-capable nonprofit domains have no DMARC record at all.

That means anyone can send an email as those organizations and it will be delivered with no questions asked.

This isn't theoretical. Nonprofit domain spoofing happens regularly. It's automated, cheap, and difficult to trace. The target isn't usually the nonprofit itself — it's the donors and community members who trust the organization's name.

What You Should Do

This depends on where your organization stands today. There are three situations.

If your nonprofit doesn't use its domain for email

Many small nonprofits own a domain (like yourorg.org) for their website, but everyone uses personal Gmail or Yahoo accounts for actual email. If that's your situation:

Add a DMARC record with p=reject.

This tells every email provider: "Nobody sends legitimate email from this domain. Reject anything claiming to come from it." This is the strongest protection and it's the easiest to implement because there's no legitimate email traffic to worry about.

The record looks like this:

_dmarc.yourorg.org  TXT  "v=DMARC1; p=reject;"

You add this in your domain registrar's DNS settings (GoDaddy, Namecheap, Google Domains, wherever you bought your domain). It takes five minutes.

If your nonprofit uses Google Workspace or Office 365

Good news: Google and Microsoft already handle the harder parts of email authentication (SPF and DKIM) for you. What's missing is the DMARC policy itself.

Start with p=none to see what's happening:

_dmarc.yourorg.org  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourorg.org;"

This doesn't block anything yet. It tells email providers to send you reports about who is sending email as your domain. After a few weeks, you'll know whether any legitimate services (your newsletter tool, your event platform) are sending email on your behalf.

Once you've confirmed all your legitimate email is authenticated, upgrade to p=quarantine and eventually p=reject.

If your nonprofit uses email through a hosting provider

If your email came bundled with your web hosting (cPanel, Plesk, or similar), the setup is the same as above, but you may need to also configure SPF and DKIM manually. Your hosting provider's support documentation will have instructions specific to their platform.

Who Should Do This

This doesn't require a technical person. If someone on your board can log into your domain registrar and follow a three-line instruction, they can set up DMARC.

If nobody on your board is comfortable with DNS settings, ask:

  • Your website volunteer or contractor
  • A local tech professional who donates time (many do for nonprofits)
  • Your domain registrar's support team — they can walk you through adding a TXT record

The total time investment is 15-30 minutes. There is no cost.

The One-Page Version for Your Next Board Meeting

Print this and bring it:

What: DMARC is a published rule that stops people from sending fake emails as your organization.

Why: Without it, anyone can impersonate your nonprofit to your donors. This is a real and common attack.

Risk of not acting: Donor fraud, reputational damage, potential data breach.

Cost to fix: Free. A single DNS record.

Time to fix: 15-30 minutes.

Who can do it: Anyone with login access to your domain registrar.

Action item: Determine whether your organization uses its domain for email. If no, add a p=reject DMARC record. If yes, add a p=none record and monitor for 30 days.

This guide is part of our analysis of 229,000 U.S. micro-nonprofits and their email infrastructure. For the full data, read the key findings.

Ready to simplify Google Workspace management?

Free for up to 10 users. Setup in 10 minutes. No credit card required.

Join the BetaRead More Articles