DMARC (Domain-based Message Auth)
The "secret art" of DKIM rotation. Your cryptographic keys are the keys to your kingdom. This section explains the critical best practice of "rotating" your keys (swapping new for old) without causing a single message to fail authentication.
Questions about DMARC (Domain-based Message Auth)
What is DMARC?
What problem does DMARC solve that SPF/DKIM don’t?
Why is DMARC important for email security and deliverability?
How does DMARC work with SPF and DKIM?
What are the DMARC policies (p=none, p=quarantine, p=reject)?
What does a DMARC record look like?
Where do I publish a DMARC record?
What is the rua tag in DMARC (aggregate reports)?
What is a DMARC aggregate report (RUA)?
What is the ruf tag in DMARC (forensic reports)?
What is a DMARC forensic report (RUF)?
What is DMARC alignment?
What is “alignment” in DMARC and how is it checked?
What is DMARC strict vs. relaxed alignment?
What’s the difference between relaxed and strict alignment?
How do I start implementing DMARC (p=none)?
When should I move to p=quarantine or p=reject?
How do you move from none → reject safely?
How do I read DMARC reports?
How to read and visualize DMARC XML reports?
What are common DMARC implementation challenges?
What happens when DMARC fails?
How often are reports sent?
What are organizational domains in DMARC?
How do subdomain policies (sp=) work?
What is a pct= tag?
How do third-party senders authenticate under DMARC?
What are common errors in DMARC records?
What’s the difference between hosted DMARC and DIY setup?
What is the maximum DMARC record length?
Why DMARC “pass” doesn’t guarantee inboxing?
How does DMARC interact with mailing lists?
Why Gmail and Yahoo require DMARC alignment for bulk senders?