DMARC Deep Dive

The DNS Setup guide covers adding the basic DMARC record Bento gives you. This page explains what DMARC actually does, how alignment works, and how to move from monitoring to enforcement without losing legitimate mail.

What DMARC Does

DMARC does two things:

1. Policy. It tells receiving servers like Gmail and Outlook what to do with a message that claims to be from your domain but fails SPF and DKIM alignment. The options are do nothing, send it to spam, or reject it.
2. Reporting. It asks receivers to send you regular reports about every message they saw using your domain. This shows you all your legitimate sending sources and anyone spoofing you.

SPF and DKIM authenticate a message. DMARC connects that authentication to the domain the recipient actually sees in the From header. Without DMARC, a message can pass SPF for one domain while showing a completely different domain in the From line.

Alignment Explained

A message passes DMARC when at least one of these is true:

• The From domain matches the DKIM d= domain (DKIM alignment).
• The From domain matches the SPF return-path domain (SPF alignment).

Only one needs to pass. When you complete Bento DNS setup, your DKIM signature uses your domain, so your Bento mail passes DMARC through DKIM alignment.

Alignment can be relaxed or strict. Relaxed, the default, allows subdomain matches. Mail from mail.example.com aligns with a From address at example.com. Strict requires an exact match. Most senders should stay on relaxed.

The Three Policies

p=none provides no protection against spoofing. It exists so you can collect reports and find every legitimate sending source before tightening the policy.

Staged Rollout Plan

Do not jump straight to p=reject. Move in stages:

1. Publish p=none with a rua reporting address. Example: v=DMARC1; p=none; rua=mailto:dmarc@example.com
2. Monitor reports for 2 to 4 weeks. Identify every service sending as your domain: Bento, your app servers, support tools, billing systems, internal mail.
3. Fix alignment for every legitimate source. Each one needs DKIM signing with your domain or an aligned SPF return-path.
4. Move to p=quarantine. Use pct= to apply it gradually, for example p=quarantine; pct=25, then raise the percentage as reports stay clean.
5. Move to p=reject once reports show no legitimate mail failing.

Reading Aggregate Reports

Aggregate (rua) reports arrive as XML attachments, usually daily, from each major receiver. Each report lists sending IPs, message counts, and SPF and DKIM results for mail using your domain.

Raw XML is hard to read at volume. Use a report processor:

• dmarcian has a free tier for low-volume domains.
• Postmark's DMARC tool is free and sends a weekly digest.
• EasyDMARC has free and paid tiers with alerting.

When reviewing reports, look for:

• Legitimate sources failing alignment. Fix these before tightening policy.
• Unknown IPs sending as your domain. This is spoofing, and it is why you want enforcement.
• Forwarded mail failing SPF but passing DKIM. This is normal and expected.

Forensic (ruf) reports contain individual message copies. Most receivers no longer send them for privacy reasons. Do not rely on them.

DMARC Record Tags

Only v and p are required. A practical enforcement record looks like:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; adkim=r; aspf=r

Why Enforcement Matters Now

Gmail, Yahoo, and Microsoft bulk sender requirements mandate at least p=none for anyone sending meaningful volume. That is the floor, not the goal.

Stricter policies protect your domain from spoofing. At p=none, anyone can send phishing mail as your domain and receivers will deliver it. At p=reject, that mail gets refused. A spoofed domain accumulates complaints and blocklist entries that hurt your real mail, so enforcement is a reputation defense, not just a security checkbox.

BIMI, covered below, also requires enforcement before your logo can appear in inboxes.

Common Gotchas

Forwarding breaks SPF alignment. When a recipient forwards your mail or uses a forwarding address, the forwarding server's IP sends the message and SPF fails. DKIM survives forwarding because the signature travels inside the message. This is the main reason DKIM alignment is the one to rely on, and why your reports will always show some SPF failures.

Subdomain policy. By default, your policy covers subdomains. Use sp= if you want a different subdomain policy, for example p=reject; sp=quarantine while a new subdomain is still being validated. Attackers often target unused subdomains, so once you are confident, set sp=reject too. If you split mail streams across subdomains, see Sending Domain and Subdomain Strategy.

Multiple ESPs on one domain. If you send through Bento plus another provider, every provider needs its own aligned DKIM setup. One DMARC record covers the whole domain, so a misaligned secondary provider will show up as failures in your reports. Fix each provider before tightening policy.

Only one DMARC record. Two DMARC TXT records at _dmarc.yourdomain.com make the policy invalid. Check for an existing record before adding one.

BIMI

BIMI displays your verified logo next to your messages in supporting inboxes, including Gmail and Yahoo. Requirements:

• DMARC at enforcement, meaning p=quarantine with pct=100 or p=reject.
• Your logo as an SVG in a specific profile, published at a URL in a BIMI DNS record.
• For most senders, a Verified Mark Certificate (VMC) tied to a registered trademark. VMCs cost roughly 1,000 to 1,500 USD per year.

BIMI is optional and does not change inbox placement. Treat it as a branding upgrade you unlock after reaching DMARC enforcement, not a deliverability project. The enforcement work is worth doing either way.