DMARC — the policy on top
Tells receivers what to do when SPF and DKIM both fail. The record that makes domain spoofing prohibitive.
SPF and DKIM each provide an authentication signal. DMARC sits on top of both: it tells the receiver what to do when both fail, and it asks for reports.
The minimal DMARC record
dns_dmarc.acme.dev. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@acme.dev"Two required tags: v=DMARC1 and p= (the policy). Plus rua= which gives a mailbox for aggregate reports — the data you need to actually use DMARC.
The three policies
- p=none — receivers send reports but take no action. Use this for the first 30 days while you read the data.
- p=quarantine — receivers may divert failing mail to spam. Use after 30 days of clean reports.
- p=reject — receivers must drop failing mail. Use only after quarantine has been quiet for 30 days.
Aggregate reports (rua)
Once a day, every major receiver emails you a gzipped XML containing one row per (source IP, auth result, count) tuple. Reading raw XML is bleak; we parse them, deduplicate across receivers, and surface a daily dashboard with "who is sending as you, by SPF/DKIM result".
Forensic reports (ruf)
Optional. ruf= asks receivers to forward individual failing messages (with sensitive content redacted). Most receivers no longer support ruf for privacy reasons; rua is the primary signal.
Subdomain policy (sp=)
Add sp=reject to also enforce the policy on subdomains you don't use for sending. This blocks attackers from spoofing receipts.acme.dev when only acme.dev is authorised.
Alignment modes
aspf= and adkim= control whether the From: domain must match exactly (s — strict) or just within the same organisational domain (r — relaxed, the default). Stick with relaxed unless you have a specific reason.