What are the best practices for DMARC implementation, including tag definition and tool recommendations?
Michael Ko
Co-founder & CEO, Suped
Published 2 May 2025
Updated 19 Aug 2025
10 min read
Implementing DMARC is a critical step in securing your email ecosystem and ensuring deliverability. It acts as a policy layer over SPF and DKIM, telling recipient mail servers what to do with emails that fail authentication. Without DMARC, even if you have SPF and DKIM configured, malicious actors can still spoof your domain with relative ease, impacting your brand's reputation and potentially leading to phishing attacks. Properly setting up DMARC involves more than just publishing a record, it requires a strategic, phased approach, careful tag definition, and consistent monitoring using the right tools.
Many organizations make the mistake of jumping straight to a strict DMARC policy, which can inadvertently block legitimate emails. The key is to start cautiously, observe your email traffic, and then gradually increase enforcement. This iterative process allows you to identify and fix any legitimate email streams that might not be correctly authenticated before DMARC begins to block them.
The most fundamental best practice for DMARC implementation is to adopt a phased rollout strategy. This means you do not immediately jump to a DMARC policy of p=reject or p=quarantine. Instead, you begin with a p=none policy. This policy instructs recipient mail servers to take no action on emails that fail DMARC authentication, but importantly, they still send reports back to you. This monitoring phase is crucial for gathering data on your legitimate email sending sources and identifying any unauthenticated traffic.
After a period of monitoring, typically a few weeks to a month, and once you are confident that all your legitimate sending sources are properly authenticated with SPF and DKIM, you can then move to a p=quarantine policy. This tells recipient servers to place failing emails into the spam or junk folder. This is a softer enforcement that still allows legitimate but misconfigured emails to reach the recipient, albeit in a less prominent location. For guidance on this transition, consider our article on how to safely transition your DMARC policy.
Finally, when your DMARC reports show minimal or no legitimate emails failing authentication, you can progress to p=reject. This is the strongest policy, instructing recipient servers to outright reject emails that fail DMARC authentication, effectively blocking all spoofed emails from reaching inboxes. Google also recommends a phased approach to DMARC rollout, suggesting starting with p=none to confirm SPF and DKIM are correctly configured. This progressive method is critical to avoid disrupting legitimate email flow. You can find simple examples for starting with a p=none policy here.
Understanding DMARC policies
p=none: Monitoring mode. No action is taken on non-compliant emails, but DMARC reports are still generated and sent.
p=quarantine: Non-compliant emails are delivered to the recipient's spam or junk folder.
p=reject: Non-compliant emails are blocked outright and not delivered to the recipient at all.
Decoding DMARC record tags
A DMARC record is a TXT record added to your DNS. It defines your DMARC policy and specifies how recipient mail servers should handle emails from your domain that do not align with SPF or DKIM. Beyond the required v (version) and p (policy) tags, several other tags provide granular control over your DMARC implementation. You can learn more about a full list of DMARC tags in our dedicated guide.
Understanding these tags is crucial for a robust DMARC setup. For instance, the rua tag specifies where aggregate reports should be sent, providing valuable insights into your email traffic. The ruf tag, though less commonly used due to privacy concerns, designates an address for forensic reports, offering more detailed (but anonymized) information on individual failures.
While many tags have default settings, explicitly defining them can offer clearer communication of your policy. For example, using adkim=r and aspf=r (relaxed alignment) is often preferred for flexibility, allowing emails to pass DMARC even if the subdomain differs from the organizational domain. The DMARC RFC 7489 provides comprehensive details on these specifications. Refer to the DMARC RFC for more.
Tag
Description
Default Value
v
DMARC version identifier. Must be DMARC1.
DMARC1
p
Policy for the organizational domain. Required.
None
rua
Email address for aggregate (RUA) reports.
None
ruf
Email address for forensic (RUA) reports.
None
fo
Failure reporting options.
0
adkim
Alignment mode for DKIM: r (relaxed) or s (strict).
r
aspf
Alignment mode for SPF: r (relaxed) or s (strict).
r
pct
Percentage of emails to which the DMARC policy applies.
100
sp
Policy for subdomains. Overrides the p tag for subdomains.
Same as p
Achieving DMARC alignment with SPF and DKIM
DMARC works by verifying the alignment of the From header domain with the domains used in SPF and DKIM. This alignment is what distinguishes DMARC from SPF and DKIM individually, providing a more robust defense against email impersonation. You can explore how DMARC combines with SPF and DKIM in more detail in our article, A simple guide to DMARC, SPF, and DKIM.
There are two types of alignment modes: relaxed (r) and strict (s). Relaxed alignment is generally recommended for most senders. It provides flexibility, allowing mail to pass DMARC even if the subdomain used in SPF or DKIM is different from the organizational domain in the From header. This is especially useful if you use multiple third-party email service providers (ESPs) that send from their own subdomains.
Strict alignment, on the other hand, requires an exact match between the domains. While it sounds more secure, it can often lead to legitimate emails failing DMARC checks, particularly when using shared sending infrastructure or certain third-party services. Unless you have a very specific use case, such as preventing affiliates from sending from your organizational domain, strict alignment is rarely necessary and can cause more issues than it solves. For comprehensive setup guidelines, refer to our best practices for setting up SPF, DKIM, and DMARC.
Relaxed alignment (recommended)
Flexibility: Allows subdomains to pass alignment. For example, mail.example.com aligns with example.com.
Third-party senders: Best for organizations using ESPs or services that send from their own subdomains.
Common use: Appropriate for the vast majority of email senders without specific subdomain control requirements.
Strict alignment (specific cases)
Exact match: Requires the domains to match exactly. For example, mail.example.com would not align with example.com.
Limited use: Primarily used when precise control over subdomain usage is required, for example, to prevent certain third parties from using your primary domain.
Increased risk: Higher chance of legitimate emails failing DMARC if not all sending sources are perfectly configured for strict alignment.
Leveraging DMARC reports for insights
The power of DMARC lies in its reporting capabilities. By including rua (aggregate) and optionally ruf (forensic) tags in your DMARC record, you instruct recipient mail servers to send detailed reports to a specified email address. These reports provide invaluable visibility into your email ecosystem. For more information on setting up and understanding these reports, our guide on how to set up DMARC reports is a valuable resource.
Aggregate reports (RUA) provide an overview of your email traffic, showing how many messages pass or fail DMARC, which IPs are sending mail from your domain, and which authentication methods are being used. These reports are XML formatted and can be quite large, necessitating specialized tools for parsing. Forensic reports (RUF) offer more detailed information about individual failed messages, including headers and subjects. However, due to privacy concerns, many major mailbox providers do not send RUF reports, and they may contain sensitive information.
This example sets a monitoring policy (p=none) and directs both aggregate and forensic reports to specified email addresses. Replace yourdomain.com with your actual domain.
Regularly reviewing these reports is paramount. They will help you identify unauthorized senders, misconfigurations, or potential spoofing attempts. The insights gained from these reports guide your DMARC policy adjustments, allowing you to confidently move towards stricter enforcement without fear of blocking legitimate emails. Our article on understanding and troubleshooting DMARC reports from major providers like Google and Yahoo offers further assistance.
DMARC monitoring and analysis tools
While publishing a DMARC record is the first step, interpreting the raw XML reports can be challenging. This is where DMARC monitoring and analysis tools become indispensable. These tools parse the aggregate reports, transforming complex data into digestible graphs and tables, making it easy to visualize your email traffic and authentication trends. Many tools also offer alerts for unusual activity, helping you stay on top of potential threats or misconfigurations.
When choosing a DMARC tool, consider factors like the user interface, reporting capabilities, alert features, and cost. Some tools offer free trials or basic free tiers that can be helpful for initial monitoring. Remember that the best tool for you will depend on your specific needs and the volume of your email traffic. We have a detailed guide on the best DMARC monitoring tools that can assist you in making an informed decision.
Report parsers: These tools process raw XML reports into human-readable formats.
Dashboards: Provide a visual representation of your DMARC compliance, showing passing and failing email volumes.
Alerting systems: Notify you of suspicious activity or changes in your DMARC compliance.
Forensic report handling: Some tools can process ruf reports while protecting privacy.
For those comfortable with a bit of code, there are open-source DMARC report parsing tools available on platforms like GitHub. However, it is important to note that the effectiveness and reliability of these free or open-source solutions can vary greatly. Some users have reported them to be less robust or user-friendly than commercial offerings, so thorough testing is advisable before committing to one. Ultimately, the right tool streamlines your DMARC management, giving you the insights needed to protect your domain and ensure your emails reach their intended recipients.
Views from the trenches
Best practices
Start with p=none to collect reports and understand your email traffic patterns.
Ensure all legitimate sending sources are authenticated with SPF and DKIM before enforcing DMARC.
Use DMARC aggregate reports to gain visibility into email authentication status.
Transition DMARC policy gradually, moving from none to quarantine, then to reject.
Common pitfalls
Jumping straight to p=reject, which can block legitimate emails.
Not configuring SPF and DKIM correctly before DMARC implementation.
Ignoring DMARC reports or failing to analyze them properly.
Using strict alignment (adkim=s, aspf=s) without a clear, specific need.
Expert tips
Always include the p= tag; there is no default for it in a DMARC record.
Consider p=quarantine as a final policy if you have diverse sending infrastructure.
Relaxed alignment for SPF and DKIM provides more flexibility for most senders.
Choose a DMARC tool with a dashboard that makes data easy for you to understand.
Expert view
Expert from Email Geeks says start with p=none and analyze reports with a DMARC tool to verify authentication and alignment.
2019-05-28 - Email Geeks
Marketer view
Marketer from Email Geeks says open-source DMARC report parsers can be unreliable and should be thoroughly tested before relying on them for critical analysis.
2019-05-28 - Email Geeks
Final thoughts on DMARC implementation
DMARC implementation is a journey, not a one-time setup. It requires continuous monitoring, analysis, and adjustment to ensure optimal email security and deliverability. By following the best practices outlined, starting with a monitoring policy, understanding the various DMARC tags, ensuring proper SPF and DKIM alignment, and leveraging robust reporting tools, you can significantly enhance your email authentication posture. This proactive approach not only protects your brand from spoofing and phishing attempts but also contributes to a healthier email ecosystem overall, ensuring your legitimate messages reliably reach the inbox.
Remember, DMARC is a powerful tool in your email security arsenal. Used correctly, it provides unparalleled visibility and control over your domain's email traffic. Stay informed about updates from major mailbox providers, such as those from Googleand Yahoo, and continue to refine your DMARC policy based on the insights from your reports. This diligence will ensure your email program remains secure and effective.
