This book is going to get me hate mail from DMARC advocates, but otherwise I would get hate mail from users. Users win.

If you don’t publish DMARC records, spam detection systems evaluating your messages will say, “I find your lack of DMARC disturbing.” That increases the odds of your messages plunging into the spam folder. But what should you do about reporting, mailing lists, and so on?

If you are running a mail server truly for yourself and you don’t use mailing lists, or if you know none of your users will ever sign up for mailing lists, you could safely deploy aggressive DMARC policies. Start in reporting mode with a “none” policy, and increase strictness when the reports you receive say you can.

If you use mailing lists regularly, you’ll still need a simple DMARC record. Search the initial reports for weirdness, and chase down any unexpected senders on your systems. Once you confirm everything works as expected, check them maybe monthly and get on with your mailing lists.

You’re running out of time to sponsor this book. I know I’ve been working on this thing for a year, but I mean it. Really.