Email·16 min·
DMARC: From p=none to p=reject, Safely
The alignment work between p=none and p=reject is the real DMARC project.
Loading...
WebShield Audit
Prerequisites
- You control the DNS zone for your sending domain
- SPF and DKIM are already deployed on every legitimate sender
- A place to receive and process aggregate (RUA) reports - dedicated mailbox, or a SaaS processor
- An inventory of every system that sends mail from your domain
Table of contents
What DMARC actually does
SPF answers 'is this sending IP authorised?' DKIM answers 'has this message been tampered with since it was signed?' DMARC is the glue: it requires that at least one of those checks pass AND that the authenticated identity aligns with the From: header domain the user sees. That alignment step is the part that defeats spoofing - an attacker who owns attacker.com can sign their mail with DKIM and send from a permitted IP, but they cannot align either signature with your From: domain.
DMARC then publishes a policy - none, quarantine, or reject - telling receiving servers what to do when alignment fails. And it publishes a reporting address so you see what is happening.
Stage 0 - Publish p=none with reports
Ship DMARC in monitor mode first. p=none applies no enforcement but mandates reports. Once you have two to four weeks of aggregate reports, you know every system that sends from your domain.
DNS (monitor)
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; adkim=r; aspf=r; pct=100"Stage 1 - Inventory every sender
Your first two weeks of DMARC reports will surprise you. They will list marketing platforms you forgot about (Mailchimp, Klaviyo, Customer.io), transactional senders (SendGrid, Postmark, SES), HR and payroll systems, expense tools, monitoring alerts - every system that was configured years ago to send 'from' your domain.
For each sender, answer:
- Is this a legitimate sender we still use? If no - remove the DNS/SPF reference and rotate any keys.
- Does it sign outbound mail with DKIM on our domain? If not, configure DKIM (every major platform supports it).
- Is its sending IP listed in our SPF? If not, add it or (better) add its dedicated SPF include.
- Does the From: header match our aligned domain? Some platforms send From: our-domain but route the envelope through theirs - alignment fails.
Stage 2 - DKIM on every legitimate sender
DKIM is the more forgiving of the two authentication mechanisms - it survives forwarding, mailing lists often preserve it, and it provides an aligned identity without requiring you to declare every IP. Aim for 100% DKIM coverage before tightening the DMARC policy.
DKIM TXT record (2048-bit)
selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."Rotate DKIM keys at least annually. 2048-bit RSA is the current minimum; Ed25519 is supported by a growing share of receivers and produces smaller DNS records.
Stage 3 - SPF cleanup
SPF has a 10-DNS-lookup limit. Every include: counts. Every a and mx counts. Exceed ten and the record evaluates to permerror, which DMARC treats as a fail. An SPF record accumulated over years almost certainly exceeds the limit.
Audit lookups
dig +short TXT example.com | grep spf1
# Then walk each include: recursively and count lookups.
# Tools: spflint, dmarcian SPF Surveyor, MxToolbox SPF check.Options to stay under 10:
- Retire unused includes (expect to find 3–5 stale ones).
- Flatten with a hosted SPF flattener (keeps your record under 10 by resolving and caching the IPs at query time). Caveat: the flattener becomes critical infrastructure.
- Split senders across subdomains (marketing.example.com for Mailchimp, transactional.example.com for SendGrid) - each subdomain gets its own budget.
Stage 4 - Ramp through p=quarantine
Use pct= to apply the policy to a fraction of failing mail. Start at pct=10 - 10% of alignment failures go to quarantine, 90% go through. Check reports. Ramp up over weeks.
Quarantine ramp
; Stage 4a
_dmarc TXT "v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]; adkim=r; aspf=r"
; Stage 4b
_dmarc TXT "v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected]; adkim=r; aspf=r"
; Stage 4c
_dmarc TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]; adkim=r; aspf=r"Stage 5 - Promote to p=reject
Once you have been on p=quarantine; pct=100 for at least two weeks with no new senders appearing in reports and no complaints from users, promote to p=reject. You can ramp through pct= again if you want a safety margin, but the conservative path is: if quarantine was clean, reject will be too.
Final policy
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s; pct=100"Forwarding, mailing lists, and the DMARC failure modes you will see
- Traditional mailing lists rewrite the From: header to the list address - that removes alignment with your domain and avoids DMARC failure. Good.
- Forwarding addresses (autoforward from one mailbox to another) often do not rewrite headers, so SPF fails at the second hop. DKIM usually survives - which is why DKIM coverage is non-negotiable.
- ARC (Authenticated Received Chain) is the protocol for forwarders to signal "I received this, it was aligned when I got it." Major providers honour ARC; it is the fix for legitimate forwarding breaking DMARC.
- Newsletter platforms that send "on behalf of" your From: address without DKIM alignment will fail DMARC. Configure DKIM on those platforms or migrate.
Frequently asked
Should I use ruf (forensic reports)?
Rarely. ruf reports include full message headers of failing messages, which most large senders don't emit (privacy). The useful signal is in rua aggregate reports. Skip ruf unless you have a specific incident to investigate.
Is one year of DMARC adoption realistic?
For a small domain with one or two senders, a week is enough. For a mid-sized company with accumulated sender sprawl, six to twelve weeks is typical. The slowness is almost always on the SPF/DKIM side - finding and fixing every legitimate sender.
Can I use sp= to apply different policy to subdomains?
Yes. sp= sets the policy for subdomains that do not publish their own _dmarc record. Typical pattern is p=reject; sp=reject once you are mature. While ramping, you can keep sp=none so subdomain experimentation does not get hard-rejected.
Keep going
Knowledge base
Missing DMARC Policy
High severity · Email
Knowledge base
Missing SPF Record
High severity · Email
Knowledge base
Missing DKIM Signature
High severity · Email
Guide
MTA-STS: A Complete Setup Guide (with TLS-RPT and DANE context)
Publish an HTTPS-backed SMTP TLS policy the way receiving MTAs expect to consume it.
Guide
HSTS: A Complete, Rollback-Safe Setup Guide
The max-age ramp, subdomain audit and preload submission - in the order they won't burn you.
Tool
MTA-STS Checker
Check your SMTP TLS policy the way receiving MTAs do.
Tool
BIMI Checker
Verify your brand logo will render in conformant inbox providers.
Tool
TLS-RPT Checker
See the TLS failures your mail server never tells you about.