Authentication
DMARC explained: from p=none to p=reject without breaking mail
DMARC ties SPF and DKIM together with an alignment requirement and a published policy, then asks receivers to send back aggregate reports.
The policy ladder
DMARC has three policies: p=none (monitor only), p=quarantine (move failing mail to spam), and p=reject (refuse failing mail outright). Every domain should start at p=none with rua reporting enabled, identify all legitimate sources from the reports, fix any unaligned ones, then ramp policy.
Aggregate (rua) vs forensic (ruf) reports
rua reports are XML summaries sent daily by major providers — they include sending IP, count, alignment results, and policy applied. ruf reports are per-message failures with redacted bodies; most providers have stopped sending ruf for privacy reasons. Start with rua only.
pct rollout
Use the pct= tag to apply your policy to a percentage of failing mail (e.g. p=quarantine; pct=10). Gradually ramp pct to 100 over weeks, watching rua reports for unexpected failures.
Subdomain policy
sp= sets the policy for subdomains. If you don't set it, sp inherits from p. Use sp=reject early — most attacks impersonate subdomains rather than the root.
Frequently asked questions
- Do I need both SPF and DKIM passing?
- No — DMARC passes if either SPF or DKIM passes AND aligns. DKIM alignment is usually more reliable because it survives forwarding.