DMARC

DMARC (Domain-based Message Authentication, Reporting and Conformance, RFC 7489) is a DNS TXT record at _dmarc.yourdomain.com that tells receivers: "if a message from my domain fails both SPF and DKIM, do this".

Possible policies: - p=none — do nothing, just report (start here). - p=quarantine — move to spam. - p=reject — bounce at SMTP time.

DMARC requires that the header From domain **match** the SPF-validated (envelope) or DKIM-validated (d=) domain — this is called alignment. Without alignment, an attacker could send mail with a valid SPF on their own domain but a forged header From.

Sendersy provisions DMARC automatically when a domain is added. We recommend starting with p=none + rua reports, then graduating to quarantine once all legitimate sources are signed. Since 2024 Gmail and Yahoo require at least p=none + rua for senders of ≥5 000 emails/day.