Understanding DMARC🔗

Resources🔗

DMARC guides🔗

Demystifying DMARC - A complete guide to SPF, DKIM, and DMARC

SPF and DMARC record validation🔗

If you are looking for SPF and DMARC record validation and parsing, check out the sister project, checkdmarc.

Lookalike domains🔗

DMARC protects against domain spoofing, not lookalike domains. for open source lookalike domain monitoring, check out DomainAware.

DMARC Alignment Guide🔗

DMARC ensures that SPF and DKM authentication mechanisms actually authenticate against the same domain that the end user sees.

A message passes a DMARC check by passing DKIM or SPF, as long as the related indicators are also in alignment.

+-----------------------+-----------------------+-----------------------+
|                       | **DKIM**              | **SPF**               |
+-----------------------+-----------------------+-----------------------+
| **Passing**           | The signature in the  | The mail server's IP  |
|                       | DKIM header is        | address is listed in  |
|                       | validated using a     | the SPF record of the |
|                       | public key that is    | domain in the SMTP    |
|                       | published as a DNS    | envelope's mail from  |
|                       | record of the domain  | header                |
|                       | name specified in the |                       |
|                       | signature             |                       |
+-----------------------+-----------------------+-----------------------+
| **Alignment**         | The signing domain    | The domain in the     |
|                       | aligns with the       | SMTP envelope's mail  |
|                       | domain in the         | from header aligns    |
|                       | message's from header | with the domain in    |
|                       |                       | the message's from    |
|                       |                       | header                |
+-----------------------+-----------------------+-----------------------+

What if a sender won't support DKIM/DMARC?🔗

Some vendors don't know about DMARC yet; ask about SPF and DKIM/email authentication.
Check if they can send through your email relays instead of theirs.
Do they really need to spoof your domain? Why not use the display name instead?
Worst case, have that vendor send email as a specific subdomain of your domain (e.g. noreply@news.example.com), and then create separate SPF and DMARC records on news.example.com, and set p=none in that DMARC record.

Warning

Do not alter the p or sp values of the DMARC record on the Top-Level Domain (TLD) – that would leave you vulnerable to spoofing of your TLD and/or any subdomain.