DMARC is an effective tool in fighting spam, the reason it’s effectiveness is superior then other forms, like spam-assassin.
First to understand DMARC is dependent upon SPF, and DKIM DNS records. Please see screenshot
As the screenshots shows, Yahoo sees CainTech Services Mail Server record and originating point as a permitted legitimate sender, so Yahoo gives the email a pass. Which the sending email goes into the receivers inbox.
The other is DKIM Authentication which acts as a personalized validation of who the sender of the email is see screenshot.
After these two are in place within your DNS Records for any specific domain the last thing to put in pace is DMARC. (Domain-based Message Authentication, Reporting & Conformance)
DMARC acts as a notifier policy to other email providers on how to deal with legitimate and illegitimate emails. For legitimate emails the sender and receiver see no difference, besides the fact there may as a result be a reduction in email spam. The cause for this, is the fact spam is never legitimized. (Dropped or bounced back to the spammer.)
If in exchange an email is not validated by both SPF and DKIM. DMARC records have a specific action like such below.
v=DMARC1; p=none; rua=mailto:; ruf=mailto:; fo=0; adkim=s; aspf=s; pct=100; rf=afrf:iodef; ri=86400; sp=none
The default policies are none, quarantine, and reject. The policy of none means nothing will happen although email reports will be sent if users mark emails originating from your email server as spam, or if an email is received from a destination other then one that you specified. This is evidenced by the next screenshot.
With DMARC records in place, The best policy to start with is none, so you can actively watch if there are spammers hijacking your email and domain address. Along with people marking your email(s) as junk. Quarantine will mark illegitimate email by directly placing it into the Junk Mail/Spam Folder. While a Reject policy will bounce the email back to the spammer or alternatively force any illegitimate email to be frozen or unsent.
If you want to cut down on spam, you should mark the policy as reject. This will also protect the email users(s) authenticity since nothing but the source is trusted as well noted in a DNS record. You can see the effect of this in the last screenshot.
Logs will appear within your email address like this.
Lastly, to finally explain, how you get email reports.
rua=mailto:; ruf=mailto:; fo=0; adkim=s; aspf=s; pct=100; rf=afrf:iodef; ri=86400; sp=none
Both RUA and RUF (F for forensic reports) determine what type of email reports you receive and it’s contents.
The best website to create DMARC Records is
Then verify the records
You can use my domain(s) as way to verify if they work or how things operate.