DMARC in DNS
The policy layer on top of SPF and DKIM. Adding p=none is helpdesk; ramping to enforcement is design and escalates.
DMARC is the policy layer on top of SPF and DKIM. The record itself is short. The decision about what policy to publish, and especially when to step up from p=none to enforcement, is consequential and design-shaped.
Helpdesk work: adding an initial p=none to start monitoring. The ramp up to quarantine or reject is escalation. Knowing this boundary keeps you from accidentally rejecting legitimate mail.
What DMARC is and where it lives
A single TXT at _dmarc.<domain>:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"
The fields that matter for helpdesk work:
| Field | What it does |
|---|---|
v=DMARC1 | Version. Always this. |
p=<policy> | What receivers should do when SPF and DKIM both fail and the From: domain is example.com. none / quarantine / reject. |
rua=mailto:<addr> | Where to send aggregate reports (XML summaries from each receiver, daily, of pass/fail counts). |
sp=<policy> | Optional subdomain policy. If unset, subdomains inherit p=. |
adkim= / aspf= | Alignment mode (relaxed / strict). Default relaxed. |
The three policies
flowchart LR
None["p=none<br/>monitor only<br/><em>receivers report; no action</em>"]
Quarantine["p=quarantine<br/>failing mail to spam<br/><em>spoofing visibly degraded</em>"]
Reject["p=reject<br/>failing mail bounces<br/><em>spoofing blocked at SMTP</em>"]
None -->|weeks of clean reports| Quarantine
Quarantine -->|more clean reports| Reject
p=none: receivers report failures but don’t act. No legitimate mail is blocked; no spoofing is blocked either. The value is the reports. Safe starting point.p=quarantine: failing mail goes to spam folders. Spoofing visibly degraded; legitimate mail that fails for unexpected reasons also lands in spam, potentially missed.p=reject: failing mail bounces. Spoofing blocked at the SMTP layer; legitimate mail that fails for any reason is gone, with bounces visible to the sender.
Practice: check a domain’s DMARC
Before adding a DMARC record, check whether one exists already.
Why ramping is design, not helpdesk
What this is NOT
- “DMARC blocks all spoofed mail.” DMARC blocks mail that fails alignment with the From: domain. Sophisticated phishing using look-alike domains (
exampl3.com,example.co) isn’t blocked. DMARC stops exact-domain spoofing. - “Setting
p=rejectis the safe choice.” It’s the strict choice. Safe depends on whether you’ve identified every legitimate sender. Going top=rejectwithout the ramp blocks legitimate mail you didn’t know about. - “DMARC requires SPF and DKIM both to pass.” DMARC requires at least one to pass and align with the From: domain. Pass = SPF passes and aligns, OR DKIM passes and aligns. (Not both.)
Decision walkthrough
Three weeks later, the owner asks can we move to p=reject now? The answer is: let me loop in your senior or email-security lead. The decision to ramp DMARC requires reading the aggregate reports and confirming every legitimate sender is properly authorised. We want to make sure no real mail is being blocked when we move to enforcement.