Skip to content
The DDMARC Blog
Field notes

Field notes on email security.

What's changing in DMARC and deliverability, how operators are responding, and how to read your reports — written for the people who actually run email.

  1. 01
    dmarc5 min read

    How to Set Up SPF, DKIM & DMARC for Microsoft 365

    The exact SPF record, the two DKIM CNAMEs, and the DMARC record Microsoft 365 needs — plus the Defender-portal step that actually turns DKIM signing on for your domain. A no-consultant setup.

  2. 02
    security6 min read

    Anatomy of a Domain Spoofing Attack — and What It Looks Like in Your DMARC Reports

    A spoofed email isn't magic — it's a forged From: header. Here's how a domain-spoofing attack is staged, what the target sees, and exactly how it shows up in your DMARC aggregate reports so you can spot it.

  3. 03
    dmarc6 min read

    How to Set Up SPF, DKIM & DMARC for Google Workspace (2026 Guide)

    The exact SPF, DKIM, and DMARC records Google Workspace needs — in the right order, with the gotchas that quietly break authentication. A no-consultant setup you can finish in an afternoon.

  4. 04
    dmarc6 min read

    Subdomain DMARC: Why the sp= Tag Matters More Than You Think

    Does p=reject cover your subdomains? Usually yes — but one tag can silently undo it. How subdomain policy inheritance really works, and how to lock down the dormant subdomains attackers love.

  5. 05
    deliverability5 min read

    Microsoft 365 Sender Requirements Are Now Enforced — Are You Compliant?

    Microsoft now requires SPF, DKIM, and an aligned DMARC record to deliver bulk mail to Outlook.com and Hotmail. Who's affected, how it compares to the Google and Yahoo rules, and a checklist to confirm you pass.

  6. 06
    dmarc4 min read

    Reading DMARC aggregate reports: what the XML is actually telling you

    Aggregate reports are how you find out who is sending as your domain — legitimate or not. Here's how to read the XML, what each field means, and how to spot spoofing.

  7. 07
    dmarc6 min read

    The DMARC rollout playbook: none to reject without breaking mail

    Moving from p=none to p=reject is where most DMARC projects stall — usually from fear of blocking legitimate mail. Here's a staged, evidence-driven path to full enforcement.

  8. 08
    deliverability4 min read

    Yahoo & Google Sender Requirements 2026: SPF, DKIM, DMARC

    The 2026 Yahoo & Google bulk-sender rules — SPF, DKIM, DMARC alignment, one-click unsubscribe, and the 0.3% spam-rate limit — in one checklist to confirm you comply.