DMARC (Domain-based Message Authentication, Reporting & Conformance) is a greatest advance in email authentication. DMARC can help you monitor fraudulent or spoofing emails from untrusted sources, or even block these spam before it reaches the inbox (spam box).
After setting up DMARC record, you can use the following command to verify your record:
$ dig +short _dmarc.sparanoid.com txt
Then you can send fake emails to test if your DMARC record works:
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning firstname.lastname@example.org does not designate 188.8.131.52 as permitted sender) email@example.com; dmarc=fail (p=NONE dis=NONE) header.from=sparanoid.com
When you set
p=quarantine in your DMARC record your fake emails would be marked as spam:
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning firstname.lastname@example.org does not designate 184.108.40.206 as permitted sender) email@example.com; dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=sparanoid.com
And you will get the following warning in Gmail web app:
Why is this message in Spam? It has a from address in sparanoid.com but has failed sparanoid.com’s required tests for authentication.
You can also set
p=reject to delete the message even before it reaches the user’s inbox. All emails fail the DMARC authentication will be rejected and never reach the inbox or spam box.
If everything goes well you should get the all-pass result, a test email sent from Postmark:
Authentication-Results: mx.google.com; spf=pass (google.com: domain of firstname.lastname@example.org designates 220.127.116.11 as permitted sender) email@example.com; dkim=pass firstname.lastname@example.org; dmarc=pass (p=QUARANTINE dis=NONE) header.from=sparanoid.com
You can read more information about DMARC at dmarc.org.