Concepts
DMARC
DMARC is a DNS policy record that tells receiving servers what to do when your mail fails DKIM or SPF authentication. Nudgel generates and manages it for you.
What DMARC is
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNSTXT record published at _dmarc.yourdomain.com. It does two things:
- Sets a policy — tells receiving servers what to do with mail that fails DKIM or SPF authentication: let it through (
none), route it to junk (quarantine), or block it entirely (reject). - Requests reports — specifies an email address where receivers should send aggregate XML reports of authentication results across all mail they saw from your domain.
Without DMARC, receivers have no standardized way to know whether you care about authentication failures, and they have no reason to send you visibility into what is failing. Google and Yahoo require a published DMARC record for senders above 5,000 messages per day.
Why we manage it
DMARC is a policy, not a signing mechanism. The record is the same regardless of which email providers you are routing through — whether you use Mailgun, Postmark, SendGrid, or all three simultaneously, you publish exactly one DMARC record.
Because DMARC is provider-agnostic, Nudgel can generate it for you once and give you one less DNS record to maintain manually. We also receive aggregate reports on your behalf when you use managed mode, which will feed into deliverability metrics in your dashboard.
Managed vs self-managed
| Mode | RUA address | Who processes reports |
|---|---|---|
| Managed (default) | dmarc@nudgel.ai | Nudgel receives aggregate XML reports from receivers. Future: surfaced as deliverability metrics in your dashboard. |
| Self-managed | dmarc@yourdomain.com | You receive the raw XML and process them yourself with dmarcian, EasyDMARC, Postmaster Tools, or your own tooling. |
BOTH MODES WORK TOGETHER
rua addresses in one DMARC record, separated by commas. If you already use dmarcian or EasyDMARC and want to keep your existing reporting, add dmarc@nudgel.ai as an additional recipient rather than replacing your current address.The record we generate
v=DMARC1; p=quarantine; rua=mailto:dmarc@nudgel.ai; pct=100; adkim=s; aspf=sTag breakdown:
| Tag | Value | Meaning |
|---|---|---|
v | DMARC1 | DMARC version. Always DMARC1. |
p | quarantine | Policy for failing mail. quarantine routes it to the junk folder. Alternatives: none (monitor only, no action) or reject (block the message entirely). |
rua | mailto:dmarc@nudgel.ai | Where receivers send aggregate reports. Switch to your own address for self-managed mode. |
pct | 100 | Percentage of failing mail to apply the policy to. 100 means all failing mail. Use a lower value (e.g. 10) during a gradual rollout to limit blast radius before you are confident. |
adkim | s | DKIM alignment mode. s (strict) means the DKIM signing domain must exactly match the From: header domain — a DKIM signature from a subdomain does not satisfy DMARC for the parent domain. Use r (relaxed) to allow subdomain signatures. |
aspf | s | SPF alignment mode. Same strict/relaxed logic as adkim, applied to the SPF envelope-from domain vs the From: header domain. |
When to set p=reject
p=quarantine is the right starting point. It penalizes authentication failures (junk folder) without permanently losing mail that may be failing due to a misconfigured but legitimate source you have not discovered yet.
Move to p=reject when:
- You have been on
p=quarantinefor at least a few weeks and are actively reviewing aggregate reports. - You have confirmed that every legitimate sending source (providers, forwarding services, CRMs that send on your behalf) is passing DKIM and SPF.
- You are not seeing any unexplained authentication failures in your reports.
p=reject IS IRREVERSIBLE IN PRACTICE
p=reject, receivers will silently discard mail that fails authentication. Legitimate mail from a misconfigured source will disappear with no bounce — the sender sees a successful SMTP acceptance, but the message is never delivered. Audit your reports thoroughly before flipping this.p=reject is the strongest signal you can send to receivers that you take authentication seriously. It also makes your domain significantly harder to spoof in phishing attacks.
Related
- Sending domains setup guide — add a domain, publish DNS records, and copy your DMARC record
- Sending domains concept — how DKIM, SPF, and DMARC fit together, and how BYO providers change the picture