DMARC Record Analyzer

DMARC (Domain-based Message Authentication, Reporting and Conformance, RFC 7489) is an email authentication protocol that builds on SPF and DKIM. It tells receiving mail servers what to do when an email fails SPF or DKIM checks. DMARC adds two things SPF/DKIM lack: (1) Alignment — it requires the From: header domain to match the authenticated SPF or DKIM domain, preventing display name spoofing. (2) Reporting — DMARC sends daily aggregate XML reports (rua=) to your email so you can monitor who is sending email on behalf of your domain.

p=none: Monitoring mode — collect reports but take no action on unauthorized emails. Use this when starting DMARC to understand your email flows before enforcing. p=quarantine: Send non-compliant emails to spam/junk folder. A good intermediate step once you're confident in your setup. p=reject: Reject unauthorized emails outright — they never reach the inbox. This is the strongest protection against phishing and spoofing, and what Google/Yahoo now require for bulk senders. Migration path: none → quarantine → reject.

rua= specifies where DMARC aggregate reports are sent (e.g., rua=mailto:dmarc@yourdomain.com). These daily XML reports from major providers (Google, Microsoft, Yahoo) show: which IPs are sending email as your domain, which emails passed/failed SPF and DKIM, and the DMARC disposition. Without rua=, you have no visibility into unauthorized use of your domain. Free tools like Google Postmaster Tools or DMARC Digests can help parse these XML reports. Never set p=reject without first monitoring rua= reports for weeks.

Alignment ensures the From: header matches the authenticated domain. adkim= (DKIM alignment): r=relaxed allows subdomain.example.com to align with example.com. s=strict requires exact match. aspf= (SPF alignment): same relaxed/strict distinction for SPF. Relaxed mode (the default) is usually the right choice — strict alignment can cause legitimate transactional email from subdomains to fail DMARC. The key insight: without alignment, you could have an email that passes SPF for a completely different domain than what's in the From: header.

Google Workspace: Your DKIM selector is "google" by default. Authenticate in Google Admin Console. SPF should include include:_spf.google.com. Microsoft 365: Uses selector1 and selector2 (automatically rotated). SPF should include include:spf.protection.outlook.com. DMARC for both: Start with "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com". After 2-4 weeks monitoring reports, move to p=quarantine, then p=reject. The Google/Yahoo 2024 bulk sender requirements mandate DMARC p=none minimum for sending to their domains.