Jumping from p=none to p=reject
Going straight to reject without monitoring is a guarantee that you'll lose legitimate emails.
How to fix it: Follow the path: none → quarantine with gradual pct → reject. At least 1 month at each stage.
Domain-based Message Authentication, Reporting & Conformance
Domain-based Message Authentication, Reporting & Conformance takes SPF and DKIM and joins them with a policy: what to do when someone sends using your domain without authorization. It's what closes the authentication loop.
DMARC (RFC 7489) doesn't authenticate on its own. What it does is tell the receiver "when an email fails both SPF and DKIM aligned with my domain, do X." That X is the policy.
The three possible policies: p=none (do nothing, just report to me), p=quarantine (send it to spam), and p=reject (reject it outright).
Beyond the policy, DMARC enables reports: the receiver sends you XML files with every sending attempt using your domain. That shows you real spoofing, includes you're missing, and subdomains you don't control.
Real example
_dmarc.tudominio.com TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100; sp=quarantine; adkim=s; aspf=s"
v=DMARC1Version
Indicates this is a DMARC version 1 record.
p=quarantineMain policy
p=none (monitoring), p=quarantine (to spam), or p=reject (rejection). You always start with none.
rua=mailto:[email protected]Aggregate reports
Email address where you receive daily aggregate reports from receivers (XML files).
pct=100Percentage
What percentage of emails the policy applies to. You start at pct=10 if you want to go gradually.
sp=quarantineSubdomain policy
Policy for subdomains. If not specified, they inherit the main one.
adkim=s · aspf=sStrict alignment
s = strict (exact match). r = relaxed (relaxed match, default). Start with relaxed.
Steps in order. Skipping one usually leads to problems that take days to diagnose.
DMARC requires at least one of the two to be aligned with your domain. If SPF is broken and DKIM is too, DMARC will fail across the board.
Start with pure monitoring: v=DMARC1; p=none; rua=mailto:[email protected]. You're not blocking anything, just receiving reports.
Tip: This is crucial. Skipping this step and going straight to quarantine is the #1 cause of lost legitimate emails.
The XML reports that arrive at rua= show which servers send on your behalf, which pass SPF/DKIM and which don't. You'll detect missing includes and possible spoofers.
Tip: There are tools that parse the XML files automatically (Postmark DMARC, Dmarcian, Valimail).
If you see legitimate servers that aren't passing, add them to SPF and set up DKIM for them. If you see spoofers, you already have the data to escalate later.
When the reports show that 95%+ of your emails are authenticated, move up to p=quarantine pct=10. Then pct=25, 50, 100. Only move to p=reject once everything is clean.
Going straight to reject without monitoring is a guarantee that you'll lose legitimate emails.
How to fix it: Follow the path: none → quarantine with gradual pct → reject. At least 1 month at each stage.
The reports are XML files that arrive in your inbox. Without parsing them, you learn nothing and DMARC adds no value beyond blocking.
How to fix it: Use Dmarcian, Postmark DMARC, Valimail, or your own parser. The reports are gold.
If you don't specify sp=, subdomains inherit p=. But if you have subdomains you don't use, it's best to set sp=reject explicitly.
How to fix it: Set sp= explicitly based on actual usage. Unused subdomains go straight to sp=reject.
If you set adkim=s or aspf=s but your platform uses subdomains for tracking, alignment fails and DMARC blocks.
How to fix it: Start with adkim=r and aspf=r (relaxed). Move to strict only once you've confirmed it doesn't break anything.
Three ways to check — from your terminal or online tools. If all of them return OK, you're done.
Linux/Mac terminal
dig TXT _dmarc.tudominio.com +short
Returns the published DMARC record.
Test email to Gmail
Headers > Show original > DMARC
Shows "dmarc=pass action=none header.from=yourdomain.com".
Online
mxtoolbox.com/dmarc.aspx
Record validation + diagnostics for related SPF/DKIM.
How arrobaMail handles it
At arrobaMail, we help you build your DMARC record, interpret your first reports, and stage the migration from p=none to p=reject without breaking your legitimate sends.
Yes, they're different things. SPF and DKIM authenticate. DMARC applies a policy on top of what happens when they fail. Without DMARC, each receiver decides on its own what to do with an email that fails authentication.
When reports show that 99%+ of your legitimate emails are authenticating OK and you've monitored without surprises for several weeks. There's no rush: p=quarantine already protects against phishing.
It means the visible Header-From domain (what the user sees) matches the domain authenticated by SPF/DKIM. Without alignment, DMARC fails even if SPF and DKIM individually pass.
No. Aggregate reports are statistics: how many emails, from which IPs, with what results. They don't include content. Forensic reports (RUF) do, but almost no one sends them for privacy reasons.
Gmail, Yahoo, and Microsoft are tightening requirements for bulk senders (more than 5,000 emails/day). Without DMARC, you'll increasingly be sent to spam or blocked outright. What used to be optional is now virtually mandatory.
Sender Policy Framework
Lista blanca de servidores autorizados a enviar mail con tu dominio.
Read guideDomainKeys Identified Mail
Firma criptográfica que prueba autenticidad e integridad del mensaje.
Read guideCalentamiento de dominio e IP
Aumento gradual del volumen para construir reputación buena.
Read guideFree plan, AI generations included, no credit card required — and real support from a real team.