~/tools/dossier-dmarc

> dossier / dmarc

find and parse a domain's DMARC (domain-based message authentication, reporting, and conformance) policy record. part of the drwho.me domain dossier.

## overview

dmarc (RFC 7489) is a TXT record published at `_dmarc.<domain>` that tells receivers what to do with mail that fails spf or dkim alignment, and where to send aggregate and forensic reports. the policy tag `p=` picks one of three actions: `none` (monitor only — deliver, just send reports), `quarantine` (route to spam), or `reject` (refuse at smtp). alignment is tuned with `adkim` and `aspf` (`r` relaxed — organisational-domain match — or `s` strict — exact fqdn match). `rua` addresses receive daily aggregate reports; `ruf` addresses receive per-message forensic reports. `pct` gates a gradual rollout by percentage, and `sp` applies a distinct policy to subdomains. this tool queries `_dmarc.<domain>` via cloudflare's doh resolver, insists on exactly one `v=DMARC1` record per RFC 7489, and splits the semicolon-separated `k=v` pairs into a tag map.

## how to use

  1. enter a bare domainpublic fqdn only. no schemes, ports, paths.
  2. run the checka single TXT doh query at `_dmarc.<domain>`, not the apex. dmarc records never live at the apex.
  3. read the policy + alignment`p` is the enforcement level, `adkim`/`aspf` tune alignment strictness, `rua`/`ruf` are the reporting addresses, and `pct` gates rollout.

## examples

$ example 1 — google enforces reject and collects aggregate reports; no forensic (`ruf`) subscription.
$ in
google.com
# out
v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com - policy reject, aggregate reports - relaxed alignment defaults
$ example 2 — microsoft uses agari as its report aggregator and opts into per-message forensic feedback.
$ in
microsoft.com
# out
v=DMARC1; p=reject; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; fo=1 - full reject - 100% rollout - both rua and ruf reporting

## common mistakes

  • dmarc requires spf OR dkim to aligndmarc does not authenticate mail on its own. it only enforces alignment between the visible From: header and an already-passing spf or dkim check. publishing a dmarc record without a working spf or dkim setup means every message fails dmarc regardless of policy.
  • `p=none` is monitor-onlymany domains stop at `p=none` and assume they have dmarc protection. they don't — `none` only tells receivers to report, not to block or quarantine. spoofed mail still lands in the inbox. move to `quarantine` and then `reject` once reports show legitimate sources are all aligned.
  • external `rua`/`ruf` mailboxes need authorisationif your `rua=mailto:` address is in a different domain than the policy domain, the receiving domain must publish `<your-domain>._report._dmarc.<their-domain>` TXT=`v=DMARC1` to opt in. miss this and reporters drop your aggregate reports silently.

## faq

why does the tool query `_dmarc.<domain>` and not the apex?

RFC 7489 §6.1 places the dmarc record at the `_dmarc` label under the policy domain, not at the apex. the apex TXT is where spf lives; putting dmarc there would collide with spf parsers.

what's the difference between `adkim=r` and `adkim=s`?

relaxed (`r`) accepts any subdomain under the same organisational domain — e.g. `mail.example.com` aligned with From: `example.com`. strict (`s`) requires an exact fqdn match. `aspf` works the same way for spf alignment.

does `p=reject` mean receivers must reject?

receivers are advised to reject, but dmarc is a policy signal, not a mandate. large mailbox providers (gmail, outlook) honor it; some smaller operators ignore it entirely. `pct` can gate rollout — `p=reject; pct=10` means only 10% of failing mail is rejected; the rest falls back to the `sp` or `quarantine` treatment.

can subdomains have their own dmarc policy?

yes. a subdomain may publish its own `_dmarc.sub.example.com` TXT, which overrides the parent. if it doesn't, receivers inherit the parent's policy but apply the `sp` tag instead of `p` when scoring the subdomain.

what's `fo` for?

`fo` controls when forensic reports fire: `0` (default) = report only on total dmarc failure; `1` = report when any auth check fails; `d` = dkim failure; `s` = spf failure. it only matters if you publish a `ruf` address.

## related tools

  • dns lookup resolve A, AAAA, MX, TXT, NS, or CNAME records via Cloudflare DoH.
  • dossier / dns resolve A, AAAA, NS, SOA, CAA, and TXT records for a domain in one go.
  • dossier / mx list the mail exchangers (MX records) a domain advertises, sorted by priority.
  • dossier / spf find and parse a domain's SPF (sender policy framework) record.

## references

  1. RFC 7489 — DMARC
  2. RFC 8617 — ARC
ad slot · tool-dossier-dmarc
dossier / dmarc — drwho.me