Learn about DMARC, SPF, and DKIM

If ARC headers still look like random noise during an incident, that is normal.

Most teams first care about ARC when a forwarded message is obviously legitimate, but DMARC still fails somewhere downstream. At that point, reading cv=, i=, d=, and s= quickly is what separates a five-minute d...

If DMARC looked perfectly healthy yesterday and suddenly starts failing for forwarded messages or list traffic, you are not looking at a weird edge case. You are looking at a normal email path.

Forwarders and mailing lists are exactly where DMARC gets interesting, because they change message paths...

If ARC still feels fuzzy, that is completely normal.

Most admins first meet ARC while debugging a very practical problem: "this message is legitimate, but DMARC failed after forwarding." ARC exists for exactly that kind of path.

ARC stands for Authenticated Received Chain. It is defined in RFC...

When DMARC fails, the DNS record is often blamed first.

In practice, the fastest path to the real cause is usually the message header, specifically the Authentication-Results line. That one line tells you what the receiver believed about SPF, DKIM, and DMARC at evaluation time.

If this still f...

At some point every DMARC rollout hits this exact moment:

"The DNS record is published... now what?"

The answer is reporting. Specifically aggregate DMARC reports (rua) sent as XML files.

This is where DMARC stops being a checkbox and becomes operations: figuring out who is sending as exa...

DMARC reporting is where the whole thing stops being theoretical.

If DMARC is the policy you publish in DNS, DMARC reports are the receipts: mailbox providers telling you what they observed when mail claiming to be from example.com hit their systems.

Those reports are what let you answer que...

If email from a perfectly legitimate system suddenly starts landing in spam (or bouncing), it usually isn't because "deliverability is mysterious".

It's because mailbox providers have been steadily raising the floor for what counts as a well-behaved sender.

This isn't just about inbox placement,...

“Apex domain” is one of those phrases that sounds more exotic than it is.

In day-to-day DNS work, the apex is simply the top name of the zone being edited. If the DNS zone is example.com, then the apex is example.com itself (sometimes shown as @ in DNS dashboards). If the zone is news.exa...

If you've ever stared at a DMARC report thinking "but SPF is passing... why is DMARC failing?", you've already met identifier alignment.

Alignment is one of those things that sounds like an academic detail until it bites you in production. Then it becomes the entire story.

In DMARC terms, what...

By default, any computer connected to the Internet can send emails pretending to come from your domain.

That’s true. If you registered example.com for your business and just configured basic email (i.e for sending and receiving XXX@example.com messages), then someone on a cybercafe on the ot...