Sudory

DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the enforcement layer for email authentication. SPF and DKIM tell receivers whether a message is authentic. DMARC tells them what to do when it is not: nothing, quarantine, or reject. Without a DMARC record, receivers run the checks and discard the result. With one, they act. Specified in RFC 7489.

How it works

DMARC is a TXT record published at _dmarc.yourdomain.com (RFC 7489 §6.1). It does two things:

  1. Declares a policy. The p= tag says what to do with messages that fail SPF or DKIM: none (monitor), quarantine (spam folder), or reject (block).
  2. Requests reports. The rua= tag gives receivers an address for daily aggregate reports. Those reports show who is sending mail as you, legitimate or not.

A strict record:

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s

The three policies

Same forged message, same inbox. The only variable is the p= tag.

p=nonemonitor

forged mail is delivered. Failure is logged in aggregate reports only.

Sudory: fail
p=quarantinespam folder

forged mail is routed to spam. Still retrievable by a determined user.

Sudory: warn
p=rejectblock

forged mail is refused at the SMTP handshake. Never reaches the recipient.

Sudory: pass

Getting to p=reject is the goal. Starting there is a mistake: any sender you have not authorised yet will be blocked. The safe path is a gradual rollout, driven by the aggregate reports.

Record tags

A strict DMARC record has seven meaningful tags. Each one does a specific job.

DMARC record breakdown_dmarc.yourdomain.com TXT
v=DMARC1;p=reject;sp=reject;rua=mailto:dmarc@yourdomain.com;pct=100;adkim=s;aspf=s;
version

always exactly this string. Only defined version.

policy

what to do with failing mail. none = monitor, quarantine = spam folder, reject = block at SMTP.

subdomain policy

applied to subdomains. If omitted, subdomains inherit p=. Often forgotten, and attackers pivot to news.yourdomain.com.

aggregate reports

daily XML summary of who is sending as you. Required for any safe rollout.

percentage

percent of failing mail the policy applies to. Rollout dial: start at 10, end at 100.

DKIM alignment

s = strict (exact domain match), r = relaxed (subdomains OK). Default r.

SPF alignment

same values as adkim. Strict closes the subdomain-spoof loophole.

Full tag semantics and defaults in RFC 7489 §6.3. Note also the ruf= tag for per-message forensic reports: defined but effectively dead in practice. Google, Yahoo, and Microsoft do not generate them over privacy concerns.

Alignment

DMARC does not just check that SPF or DKIM passed. It also checks that they passed as the same domain the From header claims. That is alignment, defined in RFC 7489 §3.1.

  • Strict (s): the authenticating domain must exactly match the From domain.
  • Relaxed (r, default): subdomains count. From: you@mail.yourdomain.com with a DKIM signature for yourdomain.com is aligned.

Without alignment, a spammer could sign their own domain with DKIM, pass the DKIM check, and still forge your From header. Alignment closes the loophole.

The rollout

Do not jump straight to p=reject. Walk it up.

  1. Observe. Publish v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. You get reports without breaking anything. Run for 2 to 4 weeks.
  2. Soft enforce. Move to p=quarantine; pct=10. Low blast radius while you fix any senders you missed.
  3. Ramp. Raise pct through 50, then 100. Reports should be clean by the end.
  4. Lock. Switch to p=reject. Set sp=reject so subdomains inherit.

The rua= reports are the unlock. Without them, you tighten blindly. That is how legitimate mail gets blocked and the rollout gets reverted. The blog post How to read DMARC aggregate reports walks the XML schema field by field, the patterns worth acting on, and the free aggregators that turn raw reports into a weekly digest.

Provider walkthroughs: Google Workspace and Microsoft 365 / Defender. Both recommend the same rollout: none → quarantine → reject.

Common mistakes

  • Stuck on p=none. Monitoring without enforcement is the same as no DMARC. Only p=reject stops spoofing.
  • No rua= address. You cannot tighten safely without data. Always include the reporting email.
  • Forgetting sp=. DMARC inheritance varies across receivers. Set sp=reject explicitly or attackers pivot to subdomains.
  • DMARC without SPF or DKIM. DMARC enforces those results. Without them, nothing to enforce.

Check your DMARC policy: scan your domain. Sudory reads the record, shows your rollout phase, and calls out the next thing to tighten.

Aleksej Dix
Aleksej DixFounder of Sudory

Founder of Sudory. Frontend engineer based in Zurich with 20+ years shipping production web apps; now building continuous compliance scanning and writing about the DNS and email-auth controls behind it. Co-founder of WebZurich.