DMARC (Domain-based Message Authentication, Reporting & Conformance) is a greatest advance in email authentication. DMARC can help you monitor fraudulent or spoofing emails from untrusted sources, or even block these spam before it reaches the inbox (spam box).
After setting up DMARC record, you can use the following command to verify your record:
$ dig +short _dmarc.sparanoid.com txt
Then you can send fake emails to test if your DMARC record works:
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning email@example.com does not designate 18.104.22.168 as permitted sender) firstname.lastname@example.org; dmarc=fail (p=NONE dis=NONE) header.from=sparanoid.com
When you set
p=quarantine in your DMARC record your fake emails would be marked as spam:
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning email@example.com does not designate 22.214.171.124 as permitted sender) firstname.lastname@example.org; dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=sparanoid.com
And you will get the following warning in Gmail web app:
Why is this message in Spam? It has a from address in sparanoid.com but has failed sparanoid.com’s required tests for authentication.
You can also set
p=reject to delete the message even before it reaches the user’s inbox. All emails fail the DMARC authentication will be rejected and never reach the inbox or spam box.
If everything goes well you should get the all-pass result, a test email sent from Postmark:
Authentication-Results: mx.google.com; spf=pass (google.com: domain of email@example.com designates 126.96.36.199 as permitted sender) firstname.lastname@example.org; dkim=pass email@example.com; dmarc=pass (p=QUARANTINE dis=NONE) header.from=sparanoid.com
You can read more information about DMARC at dmarc.org.