How to Implement DMARC: From None to Reject
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is the enforcement layer that makes SPF and DKIM actionable. Defined in RFC 7489, DMARC tells receiving mail servers what to do when a message fails authentication and gives domain owners visibility into who is sending email using their domain. Implementing DMARC correctly requires a phased approach: start with monitoring, fix authentication gaps, and gradually escalate to full enforcement.
What DMARC Does
DMARC builds on two existing protocols:
- SPF (RFC 7208) validates the sending server's IP address against the domain's published SPF record.
- DKIM (RFC 6376) verifies a cryptographic signature attached to the message.
DMARC adds two things neither protocol provides on its own: alignment and policy.
Alignment requires that the domain authenticated by SPF or DKIM matches the domain in the visible "From" header. Without alignment, an attacker could pass SPF using their own domain in the envelope sender while spoofing your domain in the "From" header.
Policy instructs receiving servers on how to handle messages that fail alignment. Without DMARC, receivers make their own decisions, which vary widely across providers.
Validate your current DMARC setup with the DMARC analyzer.
DMARC Record Structure
A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com. A complete record looks like this:
v=DMARC1; p=quarantine; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=r; pct=100
Key Tags
| Tag | Purpose | Values |
|---|---|---|
v |
Protocol version | Always DMARC1 |
p |
Policy for the organizational domain | none, quarantine, reject |
sp |
Policy for subdomains | none, quarantine, reject |
rua |
Aggregate report destination | mailto: URI |
ruf |
Forensic report destination | mailto: URI |
adkim |
DKIM alignment mode | r (relaxed) or s (strict) |
aspf |
SPF alignment mode | r (relaxed) or s (strict) |
pct |
Percentage of messages subject to policy | 1-100 |
The Three Policy Levels
p=none (Monitor Only)
The none policy is the starting point. It tells receiving servers to deliver all messages regardless of authentication results, but to send aggregate reports to the address specified in rua. This phase is purely observational.
Use p=none to:
- Discover all legitimate sources sending email as your domain.
- Identify authentication failures that need to be fixed before enforcement.
- Build confidence in your SPF and DKIM configuration.
p=quarantine (Soft Enforcement)
The quarantine policy instructs receiving servers to treat messages that fail DMARC as suspicious. In practice, this usually means delivering them to the spam or junk folder.
Move to p=quarantine when:
- All known legitimate senders pass SPF or DKIM with alignment.
- Aggregate reports show minimal false failures.
- You have addressed forwarding scenarios that break SPF (mailing lists, auto-forwarding rules).
Use the pct tag to apply the quarantine policy to a subset of failing messages first. For example, pct=25 applies the policy to 25% of failures while the remaining 75% are treated as p=none. Gradually increase the percentage as you gain confidence.
p=reject (Full Enforcement)
The reject policy tells receiving servers to refuse messages that fail DMARC alignment outright. The message is not delivered, and the sending server receives a bounce.
This is the strongest protection against domain spoofing. Move to p=reject when:
- You have been at
p=quarantine; pct=100with no legitimate mail being flagged. - All sending services are properly authenticated with both SPF and DKIM.
- You have reviewed aggregate reports for several reporting cycles.
Alignment Modes
DMARC supports two alignment modes for both SPF and DKIM:
Relaxed alignment (r) -- The authenticated domain and the "From" domain must share the same organizational domain. For example, if the "From" header is [email protected], an SPF pass for bounce.example.com satisfies relaxed alignment because both share the organizational domain example.com.
Strict alignment (s) -- The authenticated domain must exactly match the "From" domain. A pass for bounce.example.com would not satisfy strict alignment if the "From" header is [email protected].
Relaxed alignment is the default and is recommended for most deployments. Strict alignment is useful for organizations that require tight control and have standardized their sending infrastructure.
Aggregate and Forensic Reports
Aggregate Reports (rua)
Aggregate reports are XML files sent daily (typically) by receiving mail servers to the address in your rua tag. They contain:
- The reporting organization (e.g., Google, Yahoo, Microsoft).
- Source IP addresses that sent email as your domain.
- SPF and DKIM results for each source.
- DMARC alignment and policy applied.
These reports are essential for identifying unauthorized senders, misconfigured services, and forwarding issues. Every DMARC deployment should include a rua tag.
Forensic Reports (ruf)
Forensic reports provide details about individual messages that failed DMARC. They can include message headers and, in some cases, partial body content. Not all providers send forensic reports due to privacy concerns, but they can be valuable for investigating specific spoofing incidents.
Gradual Rollout Strategy
The recommended DMARC rollout follows this sequence:
- Ensure SPF is valid. Use the SPF checker to confirm your record has correct syntax and is under the 10 DNS lookup limit.
- Ensure DKIM is configured. Use the DKIM verifier to confirm public keys are published for all sending services.
- Publish
p=nonewithrua. Monitor aggregate reports for 2-4 weeks. - Fix authentication gaps. Add missing SPF includes, configure DKIM for any unsigned sources.
- Move to
p=quarantine; pct=25. Escalate the percentage over several weeks. - Move to
p=quarantine; pct=100. Monitor for another reporting cycle. - Move to
p=reject. Full enforcement.
Run a full domain analysis at each stage to confirm all layers are correctly configured.
Subdomain Policy
The sp tag controls the DMARC policy for subdomains. If omitted, subdomains inherit the organizational domain's policy. Setting sp=reject even while the main domain is at p=none can be a useful strategy to immediately protect subdomains that do not send email, preventing attackers from spoofing anything.yourdomain.com.
Common Mistakes
No rua tag. Without aggregate reports, you are flying blind. Always include a reporting address.
Skipping the monitoring phase. Jumping to p=reject without reviewing reports risks blocking legitimate mail from services you forgot to authenticate.
Ignoring subdomain policy. If you only set p=reject for the organizational domain, subdomains remain unprotected unless you also set sp=reject.
Not authenticating all senders. Every third-party service, transactional platform, and internal system that sends email as your domain must pass SPF or DKIM with alignment.
FAQ
What is DMARC and why do I need it?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS-based email authentication protocol defined in RFC 7489. It tells receiving mail servers what to do when SPF and DKIM checks fail and gives you visibility into who is sending email using your domain. Without DMARC, receivers make their own decisions about failed authentication, which vary widely across providers.
How long should I stay on p=none before moving to quarantine?
Most organizations should monitor with p=none for at least 2-4 weeks while reviewing aggregate reports. The goal is to identify and authenticate all legitimate senders before escalating. Move to p=quarantine only after your DMARC reports show consistent 95%+ pass rates across all legitimate mail streams.
What is the difference between SPF alignment and DKIM alignment?
SPF alignment requires the domain in the RFC5321.MailFrom (envelope sender) to match the RFC5322.From (visible sender). DKIM alignment requires the d= domain in the DKIM signature to match the From domain. DMARC passes if either SPF or DKIM passes with alignment. In relaxed mode (adkim=r, aspf=r), organizational domain matching is sufficient; in strict mode, exact domain match is required.
What are DMARC aggregate reports and how do I read them?
Aggregate reports (specified via the rua tag) are XML files sent by receiving mail servers summarizing authentication results for your domain. They show which IPs sent mail as your domain, whether SPF and DKIM passed, and the DMARC policy applied. Use the DMARC Analyze tool to check your current DMARC configuration and verify your rua address is set.
Can DMARC break my email delivery?
Yes, if you jump straight to p=reject without first identifying all legitimate senders. Services like marketing platforms, CRMs, and transactional email providers must pass SPF or DKIM with alignment before enforcement. This is why a phased rollout — p=none to p=quarantine with pct= to p=reject — is critical.
Do I need DMARC for subdomains?
Yes. Without an explicit subdomain policy (sp= tag), subdomains inherit the organizational domain's policy. Attackers frequently spoof subdomains like billing.yourdomain.com because many organizations only protect the root domain. Set sp=reject once your main domain is fully enforced.