DMARC, SPF & DKIM Glossary

DMARC terminology

DMARC

Domain-based Message Authentication, Reporting & Conformance. A policy layer that tells receiving mail servers how to handle messages that fail SPF and/or DKIM checks.

Alignment

The requirement that domains used in SPF or DKIM evaluation match (or are subdomains of) the domain in the From: header. Alignment can be relaxed or strict.

Policy (p=)

The DMARC instruction that tells receivers what to do with failing messages: none, quarantine or reject.

RUA

Aggregate DMARC reports sent in XML format to the address specified by the rua tag. These reports summarize how messages using your domain performed over time.

RUF

Forensic DMARC reports, typically containing redacted samples of individual messages that failed DMARC. Not all receivers send these by default.

pct=

The percentage tag that allows you to apply DMARC policy to only a portion of failing messages while you test.

SPF terminology

SPF

Sender Policy Framework. A DNS record that lists which hosts are allowed to send email for your domain.

include:

An SPF mechanism that references another domain's SPF record. Useful for third-party services, but contributes to DNS lookup depth.

DNS lookup limit

The recommended limit of 10 DNS lookups during SPF evaluation. Exceeding this limit can cause SPF to fail with a permanent error (PermError).

SPF flattening

The process of resolving include: mechanisms into a direct list of IP addresses and networks to reduce DNS lookups and avoid PermError conditions.

PermError

A permanent SPF evaluation error, often caused by excessive DNS lookups or malformed SPF records. PermErrors can contribute to DMARC failures.

DKIM terminology

DKIM

DomainKeys Identified Mail. A method of attaching a cryptographic signature to email so receivers can verify that the message was not altered and that it was authorized by the sending domain.

Selector

A DKIM label used to choose which key should be used to validate a signature. Selectors allow multiple keys to be in use at once for rotation or per-service separation.

Key rotation

The practice of regularly updating DKIM keys and selectors to reduce long-term exposure of any single key.

Provider & ecosystem concepts

Primary mail platform

The main system used for employee mail, such as Microsoft 365 or Google Workspace.

Third-party senders

External services such as marketing platforms, CRMs, billing providers and support tools that send email on your behalf.

Shadow IT

Tools and services adopted outside standard IT or procurement processes that may send email for your domain without being centrally documented.

Multi-domain MSP environment

A managed service provider scenario where many client domains must be monitored and protected using DMARC, often at different stages of maturity.

You can link to this glossary from internal playbooks, training materials and client documentation to ensure a consistent, shared language when discussing DMARC projects and email authentication in general.

See these concepts in context

• What is DMARC?
• DMARC for MSPs
• DMARC troubleshooting