DMARC Settings & Switches — Practical Guide (Blue Canoe)

Last updated: 2025‑09‑09 • Owner: Blue Canoe

DMARC lets you tell receivers what to do with mail that fails SPF/DKIM authentication and alignment, and where to send visibility reports.

1) The core tag (required)

  • v=DMARC1 — protocol version.
  • p=policy for the organizational domain (e.g., blue-canoe.com).
    • none — monitor only (no enforcement). Best for initial rollout.
    • quarantine — treat failing mail as suspicious (often goes to spam).
    • reject — drop failing mail at SMTP time.

Rollout pattern we recommend
Start with p=none + reporting for 1–2 weeks, fix sources, then go to quarantine, and finally reject once clean.

Example (monitoring):
v=DMARC1; p=none; rua=mailto:dmarc@blue-canoe.com; ruf=mailto:dmarc-fail@blue-canoe.com; fo=1; pct=100

2) Alignment controls (critical)

DMARC requires alignment between the visible From: domain and the domains authenticated by SPF (MAIL FROM / Return‑Path) and/or DKIM (d=). Alignment can be relaxed or strict:

  • aspf= — SPF alignment: r (relaxed, default) or s (strict).
  • adkim= — DKIM alignment: r (relaxed, default) or s (strict).

Relaxed: subdomains are allowed to align (e.g., From: blue-canoe.com aligns with DKIM d=mail.blue-canoe.com).
Strict: exact domain match required (From blue-canoe.com must match d=blue-canoe.com).

Tip: Keep aspf=r; adkim=r during discovery. Tighten to s once all senders sign with the parent domain.

3) Reporting (visibility)

  • rua=aggregate XML reports (daily summaries). Use one or more mailto: URIs, e.g. rua=mailto:dmarc@blue-canoe.com,mailto:dmarc@dmarcian.com
  • ruf=forensic/failure reports (message samples). Use sparingly; receivers may redact heavily.

Related:

  • ri= — report interval in seconds (suggest keeping default 86400).
  • fo= — failure options:
    • 0 (default) — report if both SPF and DKIM fail to align.
    • 1 — report if either fails (more noisy, good for early debugging).
    • d — DKIM failure only; s — SPF failure only.

Mailbox hygiene: For rua/ruf, provision dedicated mailboxes and rotate/expire old reports. Optional: forward to a DMARC analyzer.

4) Scope & exceptions

  • sp= — policy that applies to subdomains (if omitted, subdomains inherit p=).
    Example: p=reject; sp=quarantine while migrating legacy subdomain senders.
  • pct= — percentage of messages the policy applies to (0–100).
    Example: pct=25 to enforce on 25% during a staged rollout.

Staged enforcement: Combine pct with p=quarantine before going to reject.

5) Example policies by phase

Phase 1 — Monitor: 

v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:dmarc@blue-canoe.com; fo=1; ri=86400; pct=100

Phase 2 — Quarantine (50%): 

v=DMARC1; p=quarantine; adkim=r; aspf=r; rua=mailto:dmarc@blue-canoe.com; fo=1; pct=50

Phase 3 — Enforce (reject): 

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:dmarc@blue-canoe.com; fo=1; pct=100

6) Common pitfalls

  • Third‑party senders that can’t sign as your parent domain — fix DKIM d= or use a subdomain strategy.
  • SPF only: forwarding breaks SPF. Always aim for DKIM pass + alignment.
  • Multiple vendors per brand: keep d= consistent; avoid a zoo of sub‑subdomains.
  • Mixing Relaxed/Strict: change alignment in lockstep with vendor capability.

7) Quick checklist

  • [ ] Publish initial p=none with rua, fo=1.
  • [ ] Verify SPF include: chains and DKIM keys for all senders.
  • [ ] Triage aggregate reports, whitelist known forwarders.
  • [ ] Raise to quarantine + pct, then reject when clean.
  • [ ] Tighten adkim/aspf to s once stable.