DMARC configured

Severity: Critical

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving servers what to do when SPF/DKIM fail, and provides reporting on authentication failures.

Check automatically:

1. Query DMARC for root domain and subdomains:

# DMARC is always at _dmarc subdomain
dig TXT _dmarc.example.com +short
dig TXT _dmarc.mail.example.com +short
dig TXT _dmarc.transactional.example.com +short

2. With Cloudflare API:

curl -X GET "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records?type=TXT" \
  -H "Authorization: Bearer $CF_API_TOKEN" | jq '.result[] | select(.name | contains("_dmarc"))'

3. Analyze DMARC record:

• v=DMARC1 - version tag
• p=none|quarantine|reject - policy for root domain
• sp=none|quarantine|reject - subdomain policy (if different)
• rua=mailto:... - aggregate reporting address
• ruf=mailto:... - forensic reporting address (optional)

Ask user:

• If p=none: "Is this intentional monitoring mode? How long has it been in monitoring?"
• "Do you actively review DMARC reports?"

Cross-reference with:

• EMAIL-002 (SPF must pass for DMARC to work)
• EMAIL-003 (DKIM must pass for DMARC to work)

Pass criteria:

• DMARC record exists for root domain
• Subdomains have DMARC or inherit from root (check sp= policy)
• Policy is p=quarantine or p=reject
• Reporting address configured (rua=mailto:...)
• Reports are actually reviewed

Partial (acceptable):

• p=none during initial rollout to monitor before enforcement - note duration and plan

Fail criteria:

• No DMARC record
• No reporting address configured (can't monitor failures)
• p=none for extended period with no plan to enforce

Evidence to capture:

• DMARC records per domain/subdomain
• Policy levels (none/quarantine/reject)
• Subdomain policy (sp=) if different from root
• Reporting addresses
• Whether reports are reviewed (and by whom)
• Duration and plan if in monitoring mode

---