High severity

Missing DMARC Policy

DMARC tells receiving mail servers what to do when a message fails SPF or DKIM checks, and where to send the forensic reports that prove whether your domain is being spoofed.

Business risk

Since February 2024, Google and Yahoo reject bulk mail (over 5,000 messages per day) from any domain without a DMARC record. For smaller senders, the effect is softer but still measurable: messages land in spam, deliverability drops, and you get no visibility into who is spoofing your domain. Without DMARC, attackers can freely send phishing email that appears to come from your domain and you will never know it happened.

Technical details

DMARC is a staged rollout, not a single switch. Start at `p=none` with reporting (`rua=mailto:[email protected]`) for 2 to 4 weeks to collect data on who is sending mail as you. Move to `p=quarantine; pct=25` and ramp the percentage over weeks. Only move to `p=reject` once reports are clean. The `/docs/dmarc-none-to-reject` playbook covers the full migration including SPF and DKIM alignment pitfalls.

How to detect it

DMARC is a TXT record at `_dmarc.yourdomain.com`. Missing record means no policy, no reports, and Gmail/Yahoo may reject your bulk mail since February 2024. A record with `p=none` is valid for discovery but not enforcing.

Read the TXT record

dig +short TXT _dmarc.yourdomain.com

Parse online

https://dmarcian.com/dmarc-inspector/?domain=yourdomain.com

Verify SPF and DKIM alignment work together

Send a test message to any address at [email protected] and read the reply

Common pitfalls

Publishing `p=reject` from day one. If any legitimate sender (marketing ESP, billing system, CI notifications) is not authenticated, their mail disappears. Start at `p=none` and collect reports for 2-4 weeks before moving to quarantine or reject.
Not configuring a `rua` (aggregate report) address. Without reports, you are flying blind - you cannot tell which of your senders are failing alignment.
Forgetting `sp` (subdomain policy). `p=reject; sp=none` leaves parked subdomains wide open for spoofing. Set `sp=reject` unless you have a reason not to.
Misaligning SPF or DKIM. DMARC passes only if SPF or DKIM is aligned (same domain as the `From:` header). Strict alignment (`adkim=s`, `aspf=s`) requires exact match; relaxed (default) allows organizational-domain match.
Using a DMARC aggregator address at a domain you do not own (e.g., `[email protected]`) without adding the required authorization TXT. The provider must publish a `<yourdomain>._report._dmarc.<theirdomain>` TXT to authorize receiving your reports.

Remediation guide

Publish as TXT at `_dmarc.yourdomain.com`. Replace the rua address with yours.

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

text

External references

Frequently asked questions

Is p=none enough?

No - it is the starting position, not the destination. `p=none` gives you reports but no protection. The whole point of DMARC is enforcing policy. Move to quarantine, then reject, once reports are clean.

How long from p=none to p=reject?

Plan 4-8 weeks for most orgs. Two weeks at `p=none` to collect reports, two weeks at `p=quarantine; pct=10`, two weeks at `p=quarantine`, then move to `p=reject`. Do not rush - misalignments only appear in traffic you receive.

Will DMARC break mail forwarding?

Plain forwarders (user auto-forwards to Gmail) break SPF alignment but usually preserve DKIM signatures - so DMARC passes via DKIM. Mailing lists that rewrite headers break both, which is why ARC (Authenticated Received Chain) exists. Large lists like Google Groups use ARC; most small ones do not.

Keep going

Related guide

Missing SPF Record

High severity · Email

Related guide

Missing DKIM Signature

High severity · Email

Related guide

Missing DNSSEC

Medium severity · DNS

Deep guide

DMARC: From p=none to p=reject, Safely

The alignment work between p=none and p=reject is the real DMARC project.

Free tool

TLS-RPT Checker

See the TLS failures your mail server never tells you about.

Verify your fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.

Business risk

Technical details

How to detect it

Read the TXT record

dig +short TXT _dmarc.yourdomain.com

Parse online

https://dmarcian.com/dmarc-inspector/?domain=yourdomain.com

Verify SPF and DKIM alignment work together

Send a test message to any address at [email protected] and read the reply

Common pitfalls

Publishing `p=reject` from day one. If any legitimate sender (marketing ESP, billing system, CI notifications) is not authenticated, their mail disappears. Start at `p=none` and collect reports for 2-4 weeks before moving to quarantine or reject.

Not configuring a `rua` (aggregate report) address. Without reports, you are flying blind - you cannot tell which of your senders are failing alignment.

Forgetting `sp` (subdomain policy). `p=reject; sp=none` leaves parked subdomains wide open for spoofing. Set `sp=reject` unless you have a reason not to.

Misaligning SPF or DKIM. DMARC passes only if SPF or DKIM is aligned (same domain as the `From:` header). Strict alignment (`adkim=s`, `aspf=s`) requires exact match; relaxed (default) allows organizational-domain match.

Using a DMARC aggregator address at a domain you do not own (e.g., `[email protected]`) without adding the required authorization TXT. The provider must publish a `<yourdomain>._report._dmarc.<theirdomain>` TXT to authorize receiving your reports.

Frequently asked questions

Is p=none enough?

How long from p=none to p=reject?

Will DMARC break mail forwarding?