DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) is the enforcement layer for email authentication. SPF and DKIM tell receivers whether a message is authentic. DMARC tells them what to do when it isn't. Nothing, quarantine, or reject. Without a DMARC record, receivers run the checks and discard the result. With one, they act. The protocol is specified in RFC 7489.
How it works
DMARC is a TXT record published at _dmarc.yourdomain.com (RFC 7489 §6.1). It does two things:
- Declares a policy. The
p=tag says what receivers should do with messages that fail SPF or DKIM:none(monitor),quarantine(spam folder), orreject(block). - Requests reports. The
rua=tag gives receivers an email address to send daily aggregate reports to. Those reports tell you who's sending mail claiming to be you, legitimate or not.
A strict record:
v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=sThe three policies
Same forged message, same inbox. The only variable is the p= tag:
| Policy | Forged mail outcome | Sudory verdict |
|---|---|---|
p=none | Delivered unchanged. Failure is only logged in reports. | Fail |
p=quarantine | Routed to spam. Still retrievable by a determined recipient. | Warn |
p=reject | Blocked at SMTP. Never reaches the recipient. | Pass |
Getting to p=reject is the goal. Starting there is a mistake, because any sender you haven't authorised yet will be blocked. The safe path is a gradual rollout, driven by the aggregate reports.
Record tags
| Tag | Meaning |
|---|---|
v=DMARC1 | Version. Always this exact string. |
p= | Main policy. Applies to mail from the root domain. |
sp= | Subdomain policy. If absent, subdomains inherit p=. Often forgotten, so attackers can pivot to news.yourdomain.com. |
rua= | Aggregate report address. Reports are XML, optionally gzip-compressed, delivered as a MIME attachment daily. Required for any real rollout. |
ruf= | Forensic (per-message) report address. Receivers may or may not generate them; in practice Google, Yahoo, and Microsoft do not, mostly because of privacy concerns around including message bodies. |
pct= | Percentage of failing mail the policy applies to. Default is 100 if omitted. A rollout dial: start at 10, end at 100. |
adkim= | DKIM alignment. s is strict (exact domain match), r is relaxed (subdomains allowed). Default is r if omitted. |
aspf= | SPF alignment. Same values as adkim, applied to the SPF check. Default is r if omitted. |
All tag semantics and defaults are defined in RFC 7489 §6.3.
Alignment
DMARC doesn't just check that SPF or DKIM passed. It also checks that they passed as the same domain the From header claims. This is alignment, defined in RFC 7489 §3.1.
- Strict (
s): the authenticating domain must exactly match the From domain. - Relaxed (
r, default): subdomains are OK. IfFrom: you@mail.yourdomain.comand the DKIM signature is foryourdomain.com, it's aligned.
Without alignment, a spammer could sign their own domain with DKIM, pass the DKIM check, but still be forging your From header. Alignment closes that loophole.
The rollout
Don't jump straight to p=reject. Walk it up.
- Observe. Publish
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. You get reports without breaking anything. Run for 2 to 4 weeks. - Soft enforce. Move to
p=quarantine; pct=10. Low blast radius while you fix any senders you missed. - Ramp. Raise
pctthrough 50, then 100. Reports should be clean by the end. - Lock. Switch to
p=reject. Setsp=rejectso subdomains inherit.
The reports from rua= are the unlock. Without them, you're tightening blindly. That's how legitimate mail gets blocked and the rollout gets reverted.
Provider-specific walkthroughs: Google Workspace and Microsoft 365 / Defender. Both recommend the same none → quarantine → reject rollout.
Common mistakes
- Staying on
p=noneforever. Monitoring without enforcement is the same as having no DMARC. Onlyp=rejectactually prevents spoofing. - No
rua=address. You can't tighten safely without data. Always include the reporting email. - Forgetting
sp=. DMARC inheritance is inconsistent across receivers. Setsp=rejectexplicitly or attackers pivot to subdomains. - DMARC without SPF or DKIM. DMARC enforces those results. Without them, there's nothing to enforce.
Check your DMARC policy: scan your domain. Sudory reads the record and tells you which step of the rollout you're on, and what to tighten next.