On Fri 01/03/2024 at 09:18, Andy Smith <a...@strugglers.net> wrote: > Just for the record, the Authentication part of DMARC is done with > SPF and/or DKIM; the large mailbox providers actually (since 1 Feb) > require *either* SPF *or* DKIM passes, or both if you are a bulk > sender (thousands of mails per day). > > DMARC itself remains optional (but recommended) and once taken > separately from SPF and DKIM is mainly a reporting mechanism.
https://support.google.com/a/answer/81126?hl=en#requirements-5k&zippy=%2Crequirements-for-sending-or-more-messages-per-day%2Crequirements-for-all-senders mentions DMARC in requirements for all senders: "Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery." but only explicitly requires it in requirements for senders of >5,000 messages a day: "Set up DMARC email authentication for your sending domain ..." ...which is not quite as clear as it might be. Can a "DMARC quarantine enforcement policy" operate, if the sender doesn't use DMARC? This idea seems to relate more to SPF than anything?
