Here’s another chunk from Run Your Own Mail Server.
Ideally, sysadmins want all the messages from their domain to conform to the highest possible standards. They intend to sign everything with DKIM, and publish SPF records that contain every host that might possibly send mail. Anything that doesn’t have perfect alignment is obviously forged and should be unilaterally discarded. Anyone who’s worked in computing more than a week understands that they missed something, though. Some critical system sends mail from its own hostname rather than the domain, or there’s that weird host system sends mail only when the Galactic Senate starts its decennial session. DMARC deliberately allows a soft deployment. You can publish fierce policies that require strict alignment of SPF and/or DKIM, but ask that failures be reported to you rather than discarded. Use the failure reports to find deployment gaps. Eventually the failure reports will stop coming and you can ask others to quarrantine or even reject noncompliant mails.
The light at the end of this book is clearly visible, and I can even hear the train approaching. Yay!
All aboard; next stop, technical review. Please stow all grammatical errors in the overhead rack.