DMARC

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer on top of SPF and DKIM, defined in RFC 7489. SPF and DKIM each verify a different signal; DMARC tells receivers two things: (1) what to do when neither signal "aligns" with the visible From: header (none / quarantine / reject), and (2) where to mail aggregate (RUA) and forensic (RUF) reports. The policy is published as a TXT record at _dmarc.{domain}.

v=DMARC1; p=none; rua=mailto:dmarc-agg@yourcompany.com; pct=100; adkim=r; aspf=r

Key tags:

• p= — policy: none (monitor only), quarantine (spam folder), reject (bounce).
• rua= — aggregate-report destination (one daily XML per receiver).
• ruf= — forensic / failure reports (rare; few receivers send these).
• pct= — percentage of failing mail to apply the policy to (rollout knob).
• adkim= / aspf= — alignment mode: r relaxed (matches at organisational-domain level) or s strict (exact From: match).

Skipping p=none is the most common DMARC mistake — going straight to p=reject on a domain whose mail flows you do not yet fully understand will silently bounce legitimate mail (forwarders, mailing lists, CRM tools). The standard rollout is: (1) deploy p=none with RUA reporting and watch the daily reports for two to four weeks; (2) fix the unauthenticated streams uncovered by the reports; (3) ramp through p=quarantine; pct=10 → 50 → 100; (4) finalise on p=reject; pct=100 once aggregate reports show zero legitimate fails for a full week.

Both Google and Yahoo updated their bulk-sender policies in February 2024 to require DMARC for any sender exceeding 5,000 messages per day to their users (Google guidance). For self-hosted operators using AcelleMail with Amazon SES at scale, DMARC alignment is no longer optional — it is a precondition for inboxing at the two largest mailbox providers.