Learn about DMARC, SPF, and DKIM

When DMARC fails, the DNS record is often blamed first.

In practice, the fastest path to the real cause is usually the message header, specifically the Authentication-Results line. That one line tells you what the receiver believed about SPF, DKIM, and DMARC at evaluation time.

If this still f...

Sometimes DMARC reports need to go somewhere other than the domain in the From address. That is common when reports are collected by a shared mailbox, a central security team, or an external processor such as DMARCPal that receives and organizes reports. DMARC allows that, but only after the destina...

At some point every DMARC rollout hits this exact moment:

"The DNS record is published... now what?"

The answer is reporting. Specifically aggregate DMARC reports (rua) sent as XML files.

This is where DMARC stops being a checkbox and becomes operations: figuring out who is sending as exa...

DMARC reporting is where the whole thing stops being theoretical.

If DMARC is the policy you publish in DNS, DMARC reports are the receipts: mailbox providers telling you what they observed when mail claiming to be from example.com hit their systems.

Those reports are what let you answer que...

DMARC gets talked about like a single switch you flip for a domain.

In reality, most domains are a small ecosystem:

• the apex (example.com) where people type addresses and expect mail to "just work"
• a handful of subdomains used for actual sending (news.example.com, billing.example.com,...

It only takes one look at a real DMARC record to realize why people hesitate.

p, sp, pct, rua, ruf, fo, ri, rf...

It's not hard once it clicks. It's just that every tag looks equally important when you're new to it, and DNS is an unforgiving place to experiment.

This is a fiel...

If you've ever stared at a DMARC report thinking "but SPF is passing... why is DMARC failing?", you've already met identifier alignment.

Alignment is one of those things that sounds like an academic detail until it bites you in production. Then it becomes the entire story.

In DMARC terms, what...

Mistakes can happen.

An updated DKIM selector record may be missing a semicolon. Someone in a rush could mistype t...

In the previous steps of the 5-Stages DMARC Setup process we got to know more about the domain email traffic pattern...

Depending on the volume of emails you send, how old your domain is, and how much exposure it has, your DMARC reports...

The objective of this stage is to collect data so we get to know how email from the domain flows and, in parallel, m...

Planning and controlling the DMARC deployment process is crucial to avoid problems and questions down the road that...

Here is a brief overview of the DMARC setup process we will be covering in this post series:

The 5-Stages DMARC Se

DMARC is great. It allows you to publish your email sending policies, and those are used to prevent phishing emails using your domain. On top of that, it also provides reporting facilities that give you insights on your email delivery.

Implementing DMARC on new domains is straightforward. You just...