DMARC · RFC 7489
DMARC: the layer that decides and reports
DMARC (Domain-based Message Authentication, Reporting & Conformance) replaces neither SPF nor DKIM: it ties them to the domain the recipient sees (the From: header), defines a policy on failure, and surfaces reports.
The key concept: alignment
A message passes DMARC if it is validated by SPF or by DKIM, and the authenticated domain matches the From: domain. Alignment is what stops an attacker from authenticating their own domain while displaying yours in the sender field.
- • SPF alignment: the Return-Path domain matches the From: domain.
- • DKIM alignment: the signature domain (d=) matches the From: domain.
The DNS record
A TXT record published on _dmarc.your-domain.com:
_dmarc.your-domain.com. IN TXT
"v=DMARC1; p=none;
rua=mailto:reports@your-domain.com;
adkim=s; aspf=s; pct=100"- p — policy: none (observe), quarantine (spam folder), reject (refuse).
- rua — address receiving aggregate reports (daily, XML).
- adkim / aspf — alignment mode: strict (s) or relaxed (r).
- pct — percentage of messages subject to the policy (useful for gradual rollout).
Rolling out without breaking anything
- 1. Publish p=none and collect rua reports for a few weeks.
- 2. Identify every legitimate source (ESP, CRM, billing…) and bring it into SPF/DKIM compliance.
- 3. Move to quarantine, optionally with pct < 100.
- 4. When reports are clean, move to reject.