Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
Operating Since 2015
DMARC Setup and Enforcement Guide
From p=none Monitoring to p=reject Enforcement
Version 2026-04 · Cloud Server for Email
DMARC Record Syntax
_dmarc.yourdomain.com IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1; adkim=s; aspf=s"
Required Tags
| Tag | Value | Meaning |
|---|---|---|
| v | DMARC1 | Version (required, always DMARC1) |
| p | none / quarantine / reject | Policy: what to do with failing mail |
| rua | mailto:dmarc@yourdomain.com | Aggregate report recipient |
Optional but Recommended Tags
| Tag | Value | Meaning |
|---|---|---|
| ruf | mailto:dmarc@yourdomain.com | Forensic (failure) report recipient |
| fo | 1 | Send forensic report on any auth failure (vs 0 = all fail) |
| adkim | s (strict) or r (relaxed) | DKIM alignment mode |
| aspf | s (strict) or r (relaxed) | SPF alignment mode |
| pct | 5 to 100 | Percentage of mail to apply policy to (use during rollout) |
| sp | none / quarantine / reject | Subdomain policy (defaults to main policy) |
Enforcement Advancement Timeline
| Week | Policy | Condition to Advance |
|---|---|---|
| 1–4 | p=none | Receiving reports; reviewing for unauthorized senders |
| 5–8 | p=none (continued) | All legitimate senders appear in reports with pass |
| 9–12 | p=quarantine; pct=5 | No legitimate mail being quarantined at 5% rollout |
| 13–16 | p=quarantine; pct=25 | Clean at 25% for 2+ weeks |
| 17–20 | p=quarantine; pct=100 | Clean at 100% for 2+ weeks |
| 21–24 | p=reject; pct=5 | No legitimate mail being rejected at 5% rollout |
| 25–28 | p=reject; pct=100 | Full enforcement — all unauthorized mail rejected |
Reading DMARC Aggregate Reports
- Reports are XML files sent to your rua address, usually daily
- Each report shows: source IP, count, SPF result, DKIM result, disposition
- Look for rows where spf and dkim both show "fail" — these are alignment failures
- Look for unexpected source IPs — these may be unauthorized senders or misconfigured systems
- Free DMARC report parsers: dmarcian.com, easydmarc.com, mxtoolbox.com/dmarc
Common DMARC Failures and Fixes
| Failure | Cause | Fix |
|---|---|---|
| SPF fail, DKIM pass → DMARC pass | DKIM alignment covers for SPF | OK — but fix SPF for defense-in-depth |
| SPF pass, DKIM fail → DMARC fail | DKIM signature not verifying | Check DNS record, key rotation, header canonicalization |
| Both fail | Sending from IP/domain not authorized | Add to SPF; configure DKIM signing |
| Third-party sender failing | ESP not configured for your domain | Configure ESP's DKIM with your domain, or use subdomain |
Google Postmaster Tools shows your DMARC compliance rate for Gmail delivery. Target: 100% compliance before advancing policy beyond p=none.