Intermediate
Lesson 10 of 11 · ~9 min

DMARC in DNS

The policy layer on top of SPF and DKIM. Adding p=none is helpdesk; ramping to enforcement is design and escalates.

DMARC is the policy layer on top of SPF and DKIM. The record itself is short. The decision about what policy to publish, and especially when to step up from p=none to enforcement, is consequential and design-shaped.

Helpdesk work: adding an initial p=none to start monitoring. The ramp up to quarantine or reject is escalation. Knowing this boundary keeps you from accidentally rejecting legitimate mail.

What DMARC is and where it lives

A single TXT at _dmarc.<domain>:

_dmarc.example.com.   IN  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

The fields that matter for helpdesk work:

FieldWhat it does
v=DMARC1Version. Always this.
p=<policy>What receivers should do when SPF and DKIM both fail and the From: domain is example.com. none / quarantine / reject.
rua=mailto:<addr>Where to send aggregate reports (XML summaries from each receiver, daily, of pass/fail counts).
sp=<policy>Optional subdomain policy. If unset, subdomains inherit p=.
adkim= / aspf=Alignment mode (relaxed / strict). Default relaxed.

The three policies

flowchart LR
    None["p=none<br/>monitor only<br/><em>receivers report; no action</em>"]
    Quarantine["p=quarantine<br/>failing mail to spam<br/><em>spoofing visibly degraded</em>"]
    Reject["p=reject<br/>failing mail bounces<br/><em>spoofing blocked at SMTP</em>"]
    None -->|weeks of clean reports| Quarantine
    Quarantine -->|more clean reports| Reject
  • p=none: receivers report failures but don’t act. No legitimate mail is blocked; no spoofing is blocked either. The value is the reports. Safe starting point.
  • p=quarantine: failing mail goes to spam folders. Spoofing visibly degraded; legitimate mail that fails for unexpected reasons also lands in spam, potentially missed.
  • p=reject: failing mail bounces. Spoofing blocked at the SMTP layer; legitimate mail that fails for any reason is gone, with bounces visible to the sender.

Practice: check a domain’s DMARC

Before adding a DMARC record, check whether one exists already.

dmarc-check
Look up the DMARC record. It lives at a specific subdomain.
$ pick one

Why ramping is design, not helpdesk

The escalation line
  • Adding _dmarc TXT "v=DMARC1; p=none; rua=mailto:..." from a vendor’s recommendation is helpdesk work.
  • Moving from p=none to p=quarantine or from p=quarantine to p=reject is design and escalates.

Why? Moving the policy requires reading the aggregate reports, identifying senders that legitimately send as the domain but aren’t yet authorised in SPF or DKIM (CRMs, newsletter services, third-party tools), and authorising them before any policy change. Misreading reports or moving too soon blocks real mail. The decision is design; senior or email-security lead owns it.

Tools like EasyDMARC, dmarcian, and Postmark’s DMARC monitor process the XML reports into human-readable dashboards. They make the ramp tractable; the work itself is still design.

What this is NOT

  • “DMARC blocks all spoofed mail.” DMARC blocks mail that fails alignment with the From: domain. Sophisticated phishing using look-alike domains (exampl3.com, example.co) isn’t blocked. DMARC stops exact-domain spoofing.
  • “Setting p=reject is the safe choice.” It’s the strict choice. Safe depends on whether you’ve identified every legitimate sender. Going to p=reject without the ramp blocks legitimate mail you didn’t know about.
  • “DMARC requires SPF and DKIM both to pass.” DMARC requires at least one to pass and align with the From: domain. Pass = SPF passes and aligns, OR DKIM passes and aligns. (Not both.)

Decision walkthrough

Set up DMARC at p=reject as requested?
A client just onboarded to M365. SPF and DKIM are set up. The owner emails: 'set up DMARC, and set it to reject so we're fully protected.'
Owner wants p=reject straight away. What do you do?

Three weeks later, the owner asks can we move to p=reject now? The answer is: let me loop in your senior or email-security lead. The decision to ramp DMARC requires reading the aggregate reports and confirming every legitimate sender is properly authorised. We want to make sure no real mail is being blocked when we move to enforcement.

Next lesson