Email spoofing protection (DMARC) — Partially configured

What is DMARC and why should I be concerned?

DMARC stands for “Domain-based Message Authentication, Reporting and Conformance”. It’s an email validation system designed to protect your company’s email domain from being used for email spoofing, phishing scams and other cyber crimes.

DMARC empowers SPF by stating a clear policy which should be applied and allows to set an email address which can be used to send the statistics reports regarding a specific domain. Both methods use DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send emails on behalf of your domain.

In this case, a DMARC record is present for your domain, but one or more settings reduce its effectiveness. This means your domain may still be easier to spoof than it should be, and you may have limited visibility into impersonation attempts.

This may include:

1. Policy is set to none (p=none or sp=none)
   Spoofed emails are monitored only, not blocked.
2. Policy is set to quarantine (p=quarantine or sp=quarantine)
   Spoofed emails may still be delivered (typically to spam/junk folders).
3. Coverage is less than 100% (pct<100)
   Only some failing emails are enforced, so others may bypass protection.
4. Reporting is not configured (rua missing)
   You may not receive the reports needed to see who is trying to send as your domain.

How do I resolve this?

1. Enable reporting (visibility first)
   Add an aggregate reporting address (rua) to your DMARC record so you can monitor authentication outcomes and identify legitimate senders before enforcing.