| meysam.io | https://meysam.io |
| dmarcguard.io | https://dmarcguard.io |
| X | https://x.com/@meysamazing |
| GitHub | https://github.com/meysam81 |
I reference 22 RFCs in DMARCguard. here's why that matters.
every protocol decision in DMARCguard traces back to an RFC. not a blog post.
not a vendor whitepaper. the actual standard.
all the way through 22 specifications
because a DMARC monitoring solution MUST stick strictly to RFCs to be relevant
it takes longer
but it means when you check your domain against DMARCguard...
the answer is correct
not approximately correct
MTA-STS: the protocol that prevents TLS downgrade attacks on your email
DMARC, SPF, and DKIM protect authenticity
MTA-STS (RFC 8461) protects confidentiality
without it, an attacker performing a man-in-the-middle attack can strip TLS from the SMTP connection between mail servers, forcing plaintext delivery
MTA-STS tells sending servers: "only deliver to my domain over TLS. if the certificate doesn't match, don't deliver."
@meysam81 I really love your Dmarcguard app, esp for my self-hosted homelab.
So much so that I created a whole IMAP proxy system for securely getting DMARC report emails into my lab network. Lmk what you think :)
microsoft outlook enforcement started may 2025
three things to do now before it's too late
1. publish a DMARC record at minimum p=none (enforcement gets you ahead)
2. ensure SPF and DKIM both pass and align with your "From" domain
3. include a functioning unsubscribe mechanism
three of the four largest consumer mailbox providers now enforce DMARC
the window for "we'll get to it" was closed yesterday!
the most common DMARC mistake I see is publishing the record and walking away
it's the right first step
but I see domains that have been at p=none for years
the path is:
- p=none
- collect reports for 4-8 weeks
- identify all legitimate senders
- move subdomain policy to reject
- move organizational policy to quarantine
- then reject
why monitor 9 email protocols when the industry standard is 5
the typical DMARC vendor covers DMARC, SPF, DKIM... sometimes BIMI & MTA-STS...
that was adequate in 2022
in 2026, email security has expanded
each protocol solves a specific failure mode
ignoring any of them means accepting a blind spot
I added them because I kept seeing real failures that the 5-protocol approach couldn't explain
out of the 5.5m domains I scanned, 2.7% with published SPF records have errors that cause a permerror result
the most common: exceeding the 10 dns lookup limit
when SPF returns permerror, it's treated as a fail
DMARC then checks DKIM alignment as a fallback
but if that's also misconfigured, the entire authentication chain collapses
the worst part: no bounce message tells the sender "your SPF has a lookup error"
your email headers contain the entire authentication story
most people never read them
- SPF result
- DKIM signature verification
- DMARC evaluation
- ARC chain status
- receiving server identity
I built the email header analyzer to parse this automatically
get a structured breakdown:
- which checks passed
- which failed
- where the message was routed from
- and what each hop did to the authentication chain
why DMARCguard costs $3.9/domain when the big names charge $200+ for fewer features
dmarcian charges $240/mo for 8 domains and covers 5 protocols
EasyDMARC gutted their free tier
PowerDMARC offers 6 protocols at $15/mo with capped emails
DMARCguard Pro is $6.9/domain with 9 protocols
𝗳𝗼𝘂𝗻𝗱𝗶𝗻𝗴 𝗺𝗲𝗺𝗯𝗲𝗿𝘀 𝗹𝗼𝗰𝗸 𝗶𝗻 $𝟯.𝟵/𝗱𝗼𝗺𝗮𝗶𝗻/𝗺𝗼 𝗳𝗼𝗿𝗲𝘃𝗲𝗿
bootstrap means no VC board demanding 10x ARR
DKIM (RFC 6376) alignment failures are silent killers
the `d=` value in the DKIM signature must align with the `From` header domain for DMARC to pass DKIM alignment
- your ESP signs with `d=esp.example.com`
- but your `From` address is `[email protected]`
the signature is valid
the cryptography checks out
but DMARC alignment fails because the domains don't match
verify your DKIM alignment
not just signature validity
Hank BP
