SPF and DKIM check your email, but DMARC tells receiving servers what to do when those checks fail — and sends you reports of who's sending email as your school. It's the final piece of the email security puzzle.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a DNS policy record that:
Without DMARC, even if you have SPF and DKIM configured, a receiving server that fails those checks may still deliver the email. DMARC changes "check these" to "reject these."
A DMARC record is a DNS TXT record published at _dmarc.yourschool.edu.ph:
v=DMARC1; p=reject; rua=mailto:dmarc@yourschool.edu.ph; pct=100
| Tag | Meaning |
|-----|---------|
| v=DMARC1 | DMARC version (required) |
| p= | Policy: none, quarantine, or reject |
| rua= | Email address for aggregate reports |
| ruf= | Email address for forensic (failure) reports |
| pct= | Percentage of messages to apply policy to (100 = all) |
| sp= | Policy for subdomains (if different) |
v=DMARC1; p=none; rua=mailto:dmarc@yourschool.edu.ph
Does not affect email delivery. Only collects reports. Use this first to understand who is sending email as your domain.
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourschool.edu.ph; pct=100
Failing messages go to the recipient's spam folder. Good intermediate step.
v=DMARC1; p=reject; rua=mailto:dmarc@yourschool.edu.ph; pct=100
Failing messages are rejected outright — they never reach the inbox. This is the goal.
DMARC introduces a concept called alignment — the domain in the From: header (the address users see) must match the domain verified by SPF or DKIM.
This is what closes the spoofing gap: an attacker can pass SPF by sending from a legitimate server they control, but they cannot make the From: header show @yourschool.edu.ph unless that domain's DMARC policy allows it.
DMARC is only as strong as the authentication methods it enforces. Set up SPF and DKIM first.
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourschool.edu.ph
Add this TXT record to DNS at _dmarc.yourschool.edu.ph. Wait 1–2 weeks. The reports will show every server sending email as your domain — including legitimate ones you may have forgotten (newsletters, SIS notifications, alumni platforms).
Review the reports. For each legitimate sender not passing SPF/DKIM, either:
Once all legitimate email passes, change p=none to p=quarantine. Monitor for any legitimate email incorrectly failing.
After confidence builds, move to p=reject. This is full DMARC protection — no spoofed email from your domain will reach inboxes.
DMARC aggregate reports (rua) arrive as XML files. Free tools make them readable:
DMARC protects your exact domain (yourschool.edu.ph). It does not protect against:
yoursch00l.edu.ph, yourschool-official.com)The Site Scanner checks whether your school's domain has a DMARC record and what policy it enforces.