 You may ask, why do we need DMARC if we already have SPF? SPF doesn't protect against all types of impersonated messages. In some situations, it's possible for email to pass SPF and still be impersonated and actually have an example here that I wanted to show. You can think of emails the same way that you could think of a letter being sent through the post office, through normal postal mail. An email contains basically the inside part of the email, which is the part that you actually read in Outlook, and then it's wrapped in an envelope. And on the outside of that envelope we have our mail from address and we have our receipt to address, which basically defines who the sender of that letter is and who the recipient of that letter should be. And then inside that envelope is the actual letter and this is what appears in Outlook when you view the message, so the from address and the to address and your subject and your date. The problem that can occur though, is if someone who is attempting to impersonate a sender in your organization, if they send an email that looks like it comes from, so the mail from on the envelope says that it's from jerk at spammer.com and the receipt to is you at your job. And then inside of that envelope they make it look like it comes from your boss. This is something that's actually pretty easy to do and if the sender, if the spammer that's sending this message, if they have their domain registered and they have SPF set up for their domain, then SPF can still pass in this situation. So SPF would pass because the mail came from a domain that passes SPF, even though it's impersonating an email that looks like it comes from your boss and going to you. And DMARC helps deal with this type of situation and that's one of the reasons we really like to do it.