DMARC: The Policy That Actually Enforces Email Authentication

What Is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a DNS policy record that:

1. 1Ties together SPF and DKIM authentication
2. 2Instructs receiving mail servers what to do when a message fails authentication
3. 3Sends you reports of who is sending email using your domain

Without DMARC, even if you have SPF and DKIM configured, a receiving server that fails those checks may still deliver the email. DMARC changes "check these" to "reject these."

The DMARC Record

A DMARC record is a DNS TXT record published at _dmarc.yourschool.edu.ph:

```

v=DMARC1; p=reject; rua=mailto:dmarc@yourschool.edu.ph; pct=100

```

| Tag | Meaning |

|-----|---------|

| v=DMARC1 | DMARC version (required) |

| p= | Policy: none, quarantine, or reject |

| rua= | Email address for aggregate reports |

| ruf= | Email address for forensic (failure) reports |

| pct= | Percentage of messages to apply policy to (100 = all) |

| sp= | Policy for subdomains (if different) |

The Three DMARC Policies

p=none (monitor mode)

```

v=DMARC1; p=none; rua=mailto:dmarc@yourschool.edu.ph

```

Does not affect email delivery. Only collects reports. Use this first to understand who is sending email as your domain.

p=quarantine

```

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourschool.edu.ph; pct=100

```

Failing messages go to the recipient's spam folder. Good intermediate step.

p=reject (full protection)

```

v=DMARC1; p=reject; rua=mailto:dmarc@yourschool.edu.ph; pct=100

```

Failing messages are rejected outright — they never reach the inbox. This is the goal.

DMARC Alignment: The Important Detail

DMARC introduces a concept called alignment — the domain in the From: header (the address users see) must match the domain verified by SPF or DKIM.

This is what closes the spoofing gap: an attacker can pass SPF by sending from a legitimate server they control, but they cannot make the From: header show @yourschool.edu.ph unless that domain's DMARC policy allows it.

Deploying DMARC Step by Step

Step 1: Ensure SPF and DKIM are working

DMARC is only as strong as the authentication methods it enforces. Set up SPF and DKIM first.

Step 2: Start with p=none and collect reports

```

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourschool.edu.ph

```

Add this TXT record to DNS at _dmarc.yourschool.edu.ph. Wait 1–2 weeks. The reports will show every server sending email as your domain — including legitimate ones you may have forgotten (newsletters, SIS notifications, alumni platforms).

Step 3: Ensure all legitimate senders pass authentication

Review the reports. For each legitimate sender not passing SPF/DKIM, either:

• Add them to your SPF record
• Configure DKIM signing in their platform

Step 4: Move to quarantine

Once all legitimate email passes, change p=none to p=quarantine. Monitor for any legitimate email incorrectly failing.

Step 5: Move to reject

After confidence builds, move to p=reject. This is full DMARC protection — no spoofed email from your domain will reach inboxes.

Reading DMARC Reports

DMARC aggregate reports (rua) arrive as XML files. Free tools make them readable:

• MXToolbox DMARC Report Analyzer
• dmarcian (free tier available)
• Google Postmaster Tools (if using Google Workspace)

What DMARC Won't Stop

DMARC protects your exact domain (yourschool.edu.ph). It does not protect against:

• Look-alike domains (yoursch00l.edu.ph, yourschool-official.com)
• Display name spoofing where only the visible name is faked, not the address
• Compromised legitimate accounts

Check Your Domain

The Site Scanner checks whether your school's domain has a DMARC record and what policy it enforces.

Related Resources

• SPF Email Security — step 1 of email authentication
• DKIM Email Security — step 2 of email authentication
• Common Attack Vectors in Philippine Schools — BEC and phishing via domain spoofing