DMARC Generator

Start with p=none (monitor only) for 2-4 weeks. Review aggregate reports to identify legitimate senders and authentication issues. Fix issues, then upgrade to p=quarantine (spam folder) for another month. Finally, set p=reject (block) for maximum protection. Aggressive timeline: p=reject immediately if confident in SPF/DKIM setup. Use pct=10 to test policies on 10% of email before full rollout. Monitor continuously.

DMARC aggregate reports (rua) are daily XML files showing authentication results for your domain. Contains: sending IPs, SPF/DKIM/DMARC results, message volume, alignment status. Sent to rua= email addresses. Use parsers (dmarcian, Postmark, PowerDMARC) to analyze. Identifies: legitimate servers needing SPF includes, spoofing attempts, misconfigured authentication. Essential for policy enforcement. Enable reports before enforcing strict policies.

Create TXT record at _dmarc.yourdomain.com with generated DMARC policy. Example: _dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]". DNS propagation takes 1-48 hours. Verify: dig TXT _dmarc.example.com or use online validators. Subdomain policy: use sp= tag or separate _dmarc record per subdomain. Update TTL to 300 for testing, increase to 3600+ for production. Monitor reports after deployment.

DMARC alignment ensures From: header domain matches authenticated domain. Two types: SPF alignment (From vs Return-Path domain), DKIM alignment (From vs DKIM d= domain). Modes: relaxed (subdomains allowed) or strict (exact match). Example: email from [email protected] with SPF authenticated @mail.example.com - relaxed passes, strict fails. Set with aspf=/adkim= tags. Strict mode prevents subdomain spoofing but requires careful configuration.

Forensic reports (ruf) provide individual email samples failing authentication. Contains full headers and redacted body. Privacy concerns: often disabled by receivers. Enable: ruf=mailto:[email protected] in DMARC record. Use for: debugging specific failures, investigating spoofing attempts, validating authentication setup. Format: ruf=mailto:[email protected]; fo=1:d:s (failure options). Store securely - contains email metadata. Consider data protection regulations (GDPR).

Percentage tag (pct) applies DMARC policy to percentage of failing emails. Example: pct=25 applies policy to 25% of failures, rest get p=none treatment. Use for: gradual policy rollout, testing p=reject impact, limiting false positives. Range: 0-100. Default: 100 (all emails). Strategy: start pct=10 with p=quarantine, monitor impact, increase gradually to pct=100. Remove pct tag once at 100. No effect on reporting - all failures reported.

Subdomain policy: add sp= tag for subdomain default policy. Example: v=DMARC1; p=reject; sp=quarantine (strict for root, quarantine for subdomains). Or create specific _dmarc records per subdomain. Wildcard: create _dmarc.*.example.com if DNS provider supports. Unused subdomains: set sp=reject to prevent abuse. Organizational domain policy applies if no subdomain DMARC record exists. Test with email from subdomain before enforcing.