SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Learn
explainer

DMARC: The Policy That Actually Enforces Email Authentication

SPF and DKIM check your email, but DMARC tells receiving servers what to do when those checks fail — and sends you reports of who's sending email as your school. It's the final piece of the email security puzzle.

6 min readDMARC, email security, DNS

What Is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a DNS policy record that:

  1. 1Ties together SPF and DKIM authentication
  2. 2Instructs receiving mail servers what to do when a message fails authentication
  3. 3Sends you reports of who is sending email using your domain

Without DMARC, even if you have SPF and DKIM configured, a receiving server that fails those checks may still deliver the email. DMARC changes "check these" to "reject these."

The DMARC Record

A DMARC record is a DNS TXT record published at _dmarc.yourschool.edu.ph:

v=DMARC1; p=reject; rua=mailto:dmarc@yourschool.edu.ph; pct=100

| Tag | Meaning |

|-----|---------|

| v=DMARC1 | DMARC version (required) |

| p= | Policy: none, quarantine, or reject |

| rua= | Email address for aggregate reports |

| ruf= | Email address for forensic (failure) reports |

| pct= | Percentage of messages to apply policy to (100 = all) |

| sp= | Policy for subdomains (if different) |

The Three DMARC Policies

p=none (monitor mode)

v=DMARC1; p=none; rua=mailto:dmarc@yourschool.edu.ph

Does not affect email delivery. Only collects reports. Use this first to understand who is sending email as your domain.

p=quarantine

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourschool.edu.ph; pct=100

Failing messages go to the recipient's spam folder. Good intermediate step.

p=reject (full protection)

v=DMARC1; p=reject; rua=mailto:dmarc@yourschool.edu.ph; pct=100

Failing messages are rejected outright — they never reach the inbox. This is the goal.

DMARC Alignment: The Important Detail

DMARC introduces a concept called alignment — the domain in the From: header (the address users see) must match the domain verified by SPF or DKIM.

This is what closes the spoofing gap: an attacker can pass SPF by sending from a legitimate server they control, but they cannot make the From: header show @yourschool.edu.ph unless that domain's DMARC policy allows it.

Deploying DMARC Step by Step

Step 1: Ensure SPF and DKIM are working

DMARC is only as strong as the authentication methods it enforces. Set up SPF and DKIM first.

Step 2: Start with p=none and collect reports

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourschool.edu.ph

Add this TXT record to DNS at _dmarc.yourschool.edu.ph. Wait 1–2 weeks. The reports will show every server sending email as your domain — including legitimate ones you may have forgotten (newsletters, SIS notifications, alumni platforms).

Step 3: Ensure all legitimate senders pass authentication

Review the reports. For each legitimate sender not passing SPF/DKIM, either:

  • Add them to your SPF record
  • Configure DKIM signing in their platform

Step 4: Move to quarantine

Once all legitimate email passes, change p=none to p=quarantine. Monitor for any legitimate email incorrectly failing.

Step 5: Move to reject

After confidence builds, move to p=reject. This is full DMARC protection — no spoofed email from your domain will reach inboxes.

Reading DMARC Reports

DMARC aggregate reports (rua) arrive as XML files. Free tools make them readable:

  • MXToolbox DMARC Report Analyzer
  • dmarcian (free tier available)
  • Google Postmaster Tools (if using Google Workspace)

What DMARC Won't Stop

DMARC protects your exact domain (yourschool.edu.ph). It does not protect against:

  • Look-alike domains (yoursch00l.edu.ph, yourschool-official.com)
  • Display name spoofing where only the visible name is faked, not the address
  • Compromised legitimate accounts

Check Your Domain

The Site Scanner checks whether your school's domain has a DMARC record and what policy it enforces.

Related Resources

  • SPF Email Security — step 1 of email authentication
  • DKIM Email Security — step 2 of email authentication
  • Common Attack Vectors in Philippine Schools — BEC and phishing via domain spoofing
More ArticlesTry the Email Security Checklist →