DMARC Implementation Guide

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to:

1. Tell receiving servers what to do when SPF/DKIM fail 2. Get reports about emails using your domain 3. Prevent domain spoofing and phishing

DMARC is required by Google and Yahoo for bulk senders since February 2024.

DMARC is published as a TXT record at _dmarc.yourdomain.com:

The policy (p=) determines what happens to failing emails:

• **p=none** - Monitor only, don't take action (start here) • **p=quarantine** - Mark failing emails as spam • **p=reject** - Block failing emails completely

Also consider: • **sp=** - Policy for subdomains • **pct=** - Percentage of emails to apply policy to (for gradual rollout)

DMARC requires alignment between the "From" header and authenticated domain:

• **SPF Alignment:** The Return-Path domain must match the From domain • **DKIM Alignment:** The DKIM signing domain (d=) must match the From domain

Either SPF OR DKIM must pass AND align for DMARC to pass.

1. **Start with monitoring:**

2. **Wait and analyze reports** for 2-4 weeks

3. **Fix authentication issues** for legitimate senders

4. **Move to quarantine:**

5. **Gradually increase pct** to 100%

6. **Finally, move to reject:**

Aggregate reports (rua) are XML files sent daily. They show: • IP addresses sending email as your domain • SPF and DKIM results for each source • Volume of emails from each source

Use services like Postmark DMARC, DMARC Analyzer, or parse them yourself.