I forget what I don’t write down. And I publish what is not confidential or private. So here we are, with my explanation of what each DMARC field means (and why you most probably don’t need a paid DMARC reporting service).
Brief SPF, DKIM, and DMARC overview
Before I start, remember:
DMARC is based on From header, SPF is based on envelope sender.
– Jarland from MXroute
Short reference/reminder:
- SPF -> envelope sender (MAIL FROM / Return-Path)
Checks the envelope sender (Return-Path / MAIL FROM), not the visible From: - DKIM -> signed headers + body (domain in
d=)
Signs a domain (d=) that must align with the From: domain for DMARC - DMARC -> checks whether From: aligns with SPF and/or DKIM
Evaluates alignment of the From: header domain
Requires either SPF or DKIM to pass and align with the From: domain
DMARC example
A practical example before I explain what’s what.
This example emails you only if either SPF or DKIM alignment fails, and it enforces a strict DMARC policy (strict alignment requirements in order for email to not be blocked):
v=DMARC1;p=reject;sp=reject;aspf=s;adkim=s;fo=1;ruf=mailto:[email protected];This example sends no emails whatsoever, but also has a strict DMARC alignment policy (see explanation below for testing with a relaxed policy):
v=DMARC1;p=reject;sp=reject;aspf=s;adkim=s;DMARC fields explained
Orange fields below are not really necessary unless you have a huge web shop (or a forum) so you wish to keep an eye on the statistics – and in that case you should probably use a DMARC tracking service.
v=DMARC1;
Defines what the TXT DNS record is (i.e. declares it as a DMARC record).p=reject;
Domain policy (“p=reject” = block; “p=none” = monitor only, without blocking; “p=quarantine” = treat as suspicious/likely spam) – what servers should do when an email fails DMARC (i.e. both SPF and DKIM fail alignment checks).sp=reject;
Subdomain policy (“p=reject” = block; “sp=none” = monitor only, without blocking; “sp=quarantine” = treat as suspicious/likely spam) – only affects subdomains without their own DMARC record.pct=100;
Percentage the policy is applied to (default is 100% so you can leave this out).aspf=s;
Strict SPF policy (“aspf=r” is relaxed) – see below for more details.adkim=s;
Strict DKIM policy (“adkim=r” is relaxed) – see below for more details.ruf=mailto:[email protected];
Forensic (failure) reports for individual messages that fail DMARC (best-effort only, Google often doesn’t send reports, for example).rua=mailto:[email protected];
Info email notifications (stats/analytics).ri=86400;
Info reports frequency (stats/analytics).fo=1;
Send a failure report if either SPF or DKIM don’t produce an aligned pass (“fo=0” report only if both fail and that’s the default if you leave out this setting; “fo=d” if DKIM only fails; “fo=s” if SPF only fails; “fo=1” if either SPF or DKIM alignment fails) – this refers to reporting only (not to blocking).
If you want maximum strictness and you control all legitimate sending, use strict alignment. That makes email spoofing most difficult (all else being equal). Otherwise relaxed is usually more likely to work while testing or using third-party services without knowing exactly how to configure DNS for them
How alignment affects DMARC pass or fail
Strict “aspf=s” SPF alignment policy means that in order for a SPF check to pass (i.e. be considered aligned, and not failed):
- SPF record exists and passes evaluation.
- Message is sent from a host authorized in the SPF record.
- The authenticated SPF domain exactly matches the domain in the
From:header.
Relaxed aspf=r allows SPF to be considered aligned when the authenticated SPF domain is a subdomain of the domain in the From: header (for example mail.example.com vs example.com).
Strict “adkim=s” DKIM alignment policy means that in order for a DKIM check to pass (i.e. be considered aligned and not failed):
- DKIM signature exists and is valid.
- Passes cryptographic verification.
Relaxed adkim=r allows DKIM to be considered aligned when the DKIM signing domain is a subdomain of the From: domain (for example d=mail.example.com vs From: example.com).
These results are then used for the domain (“p=“) and subdomain (“sp=“) policy checks.
Smart starting policy
Generally, it is best to start with a “p=none” policy and use rua reporting to note all the legitimate senders and fix your authentication properly. Then, further test with a “p=quarantine” policy, before configuring the strict “p=reject” policy.
Or start with strict right away and ask yourself one question:
How to send reports to a different domain?
Both the “rua” and “ruf” emails should be on the same domain or on a domain that is explicitly authorised to receive DMARC reports from the domain you are configuring DMARC for (otherwise emails will be silently dropped).
A TXT record on example.net domain’s DNS to authorise “example.net” domain to get reports from the “example.com” domain:
- DNS record Type: TXT
- Name:
example.com._report._dmarc.example.net - Value: “
v=DMARC1“
DMARC monitoring services – brief overview
No DMARC reporting – still perfectly fine
What happens if you omit DMARC report addresses?
- No aggregate (RUA) reports are sent.
- No forensic (RUF) reports are sent.
- DMARC enforcement still works fully.
- Spoofed mail is still rejected according to your DMARC policy.
DMARC reporting is optional.
If you have a simple setup and control all legitimate mail senders, enforcement alone is often sufficient (see above for DMARC setup explanation).
When do you actually need a DMARC monitoring service?
A DMARC monitoring service can be useful if you:
- Send large volumes of email.
- Use multiple third-party senders.
- Run a webshop, forum, SaaS, or newsletter platform.
- Need historical visibility and trend analysis.
For small sites with a known, controlled mail setup, DMARC reports often add noise rather than value.
EasyDMARC
https://easydmarc.com (naked domains make baby Jesus cry 🙂 )
The free tier is extremely limited and useful only for basic testing.
For sites that send a meaningful volume of email or generate revenue, this service can be useful for monitoring traffic and spotting misconfigurations.
I tested EasyDMARC for over a year (free access during testing), and my experience was positive.
It has a great email testing tool “Email Investigation” in the main sidebar options – great for confirming your policy (note that it seems to have gotten my strict SPF and DKIM alignment setting wrong):
Valimail Monitor
https://www.valimail.com
They don’t let you add just a subdomain?!?
Valimail requires adding their aggregate reporting address directly (rua=mailto:[email protected];).
During testing, I could not find a clear or intuitive way to monitor only a subdomain. Their documentation did not match actual behavior, and some tutorials appeared outdated or incorrect:
https://support.valimail.com/en/articles/8466303-how-to-add-a-subdomain-to-enforce-account
This did not inspire confidence.
I will be testing this service over the following days, weeks or months, depending on the initial experience with the free tier.
GlockApps 2.0
https://glockapps.com/
The first EasyDMARC alternative I came accross. They used to publish good blog articles (I was subscribed to the newsletter for years). Free tier is useful. Good, intuitive UI.
Postmark Free DMARC Monitor
https://dmarc.postmarkapp.com
The “free” offering is very limited.
Pricing is $14 per month, per domain, which makes it expensive for multi-domain setups.
I did not test it further.
DMARCReport
On paper (the pricing page) it looks like reasonable pricing:
https://dmarcreport.com/pricing/
I did not test the service, so I cannot comment on reliability or usability.
dmarcadvisor
Offers a free XML parser for DMARC reports, which can be useful for occasional manual inspection:
https://eu.dmarcadvisor.com/dmarc-xml
Paid plans are in a similar general price range to EasyDMARC.
Review current pricing yourself if considering it for long-term use.
Suped
I was looking for a service with higher free tier limits for a local medium sized business whose infrastructure I am helping to manage. Found Suped.
https://www.suped.com/
Free tier limits are generous and the service is OK – though EasyDMARC is my favourite but it is also most expensive. The limits:
- 10,000 emails per month
- 1 domain
- 14 days data retention
Conclusion – KISS
DMARC is not complicated once you separate enforcement from reporting. If you control all legitimate mail sources and configure SPF and DKIM correctly, a strict DMARC policy (“p=reject” with strict alignment) works perfectly even without any reporting at all. DMARC monitoring services become useful only when you send large volumes of mail, rely on multiple third-party senders, or need historical visibility and trend analysis. For small, controlled setups, enforcement does the real work – reporting is optional, and often just adds noise.
Sources & further reading
MXroute has some great info in their documentation – they cover the basics very clearly, while this article I wrote goes into details for each DMARC record. MXroute docs structure:
DNS Authentication Records
- SPF Records – Configure Sender Policy Framework records
- DKIM Records – Set up DomainKeys Identified Mail
- DMARC Records – Configure Domain-based Message Authentication
- Why “p=none” is a good starting DMARC policy (and why it should be changed later)
Email Infrastructure
- IP Reputation Management – Understanding and managing your sending reputation
- SMTP API – Programmatic email sending
Last updated:
Originally published:
