DMARC (Domain-based Message Authentication, Reporting & Conformance) is a greatest advance in email authentication. DMARC can help you monitor fraudulent or spoofing emails from untrusted sources, or even block these spam before it reaches the inbox (spam box).
Postmark provides a DMARC analytics service which will send you a weekly report digest about emails sending from your domain.
After setting up DMARC record, you can use the following command to verify your record:
$ dig +short _dmarc.sparanoid.com txt
Then you can send fake emails to test if your DMARC record works:
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning t@sparanoid.com does not designate 12.34.56.78 as permitted sender) smtp.mailfrom=t@sparanoid.com;
dmarc=fail (p=NONE dis=NONE) header.from=sparanoid.com
When you set p=quarantine in your DMARC record your fake emails would be marked as spam:
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning t@sparanoid.com does not designate 12.34.56.78 as permitted sender) smtp.mailfrom=t@sparanoid.com;
dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=sparanoid.com
And you will get the following warning in Gmail web app:
Why is this message in Spam? It has a from address in sparanoid.com but has failed sparanoid.com’s required tests for authentication.
You can also set p=reject to delete the message even before it reaches the user’s inbox. All emails fail the DMARC authentication will be rejected and never reach the inbox or spam box.
If everything goes well you should get the all-pass result, a test email sent from Postmark:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of pm_bounces@dmarc.sparanoid.com designates 12.34.56.78 as permitted sender) smtp.mailfrom=pm_bounces@dmarc.sparanoid.com;
dkim=pass header.i=@sparanoid.com;
dmarc=pass (p=QUARANTINE dis=NONE) header.from=sparanoid.com
You can read more information about DMARC at dmarc.org.