What your DMARC record says about you.

Most SDRs encounter DMARC the day a sequence underperforms and someone asks "is your sender reputation OK?" The answer is buried in three TXT records they've never read. After ten years of looking at these, here's the truth: DMARC isn't about you, it's about them. The DMARC record on a prospect's domain tells you whether your cold email is going to land in their inbox, their spam folder, or be silently dropped before either.

You can read every prospect's DMARC posture in 30 seconds. Most operators don't. They send to everyone, watch reply rates, and blame copy. Often it isn't copy. Often it's that 38% of their list is on a strict DMARC policy with imperfect SPF alignment, and Gmail is quarantining them upstream.

The three policies, plain

A DMARC record is a TXT entry on _dmarc.{domain}. The most important field is p=. There are three possible values:

Policy	What it means	What you should do	Verdict
p=none	Owner asks receivers to monitor only. No quarantine, no reject. Failures still report.	Send normally. This is most companies. Not lazy — it's the default while they audit their senders.	SAFE
p=quarantine	Failures land in spam.	You can still land if your auth is clean (SPF + DKIM + alignment). Test before you send 500.	CAREFUL
p=reject	Failures are dropped before delivery.	Your sequence had better be perfectly authenticated. One alignment slip = 100% drop.	STRICT

The Savy audit reports the policy. What the audit can't tell you — and where most operators stop — is what the policy actually covers.

The subdomain trap

Here's the move that bites teams the most. Run this against any company:

$ dig +short TXT _dmarc.acmecorp.com
"v=DMARC1; p=reject; rua=mailto:dmarc@acmecorp.com; sp=none"

Read it carefully. p=reject on the apex. sp=none on subdomains. That means real mail to ceo@acmecorp.com is governed by reject, but mail to jane@team.acmecorp.com falls back to monitor-only. Most enterprise DMARC deployments look like this — the policy on the apex domain is theatre, because the actual mail flow uses subdomains the policy doesn't cover.

Translation for outbound: if you're emailing the apex (most cold tools do), you're playing on hard mode. If you're emailing a subdomain, you're playing on easy mode regardless of what the apex says. The apex policy isn't lying — it's just incomplete.

What "84 / 100" means on a Savy audit

Savy's deliverability score is a weighted blend of seven things, not just DMARC. Here's the breakdown for a typical 84:

• SPF aligned + record exists: 20 points (you'd lose this on hosted senders without proper include directives)
• DKIM keys published: 15 points (most companies pass; this is table stakes)
• DMARC policy present: 15 points (presence alone, regardless of strictness)
• Subdomain DMARC coverage: 10 points (the trap above — most lose 5+ here)
• MX provider reputation: 15 points (Google + Microsoft full marks; obscure MX = lose 5)
• BIMI / verified mark: 10 points (only the largest companies have this)
• Blacklist hits: 15 points (any Spamhaus / SURBL appearance = lose 5–15)

An 84 typically means: SPF + DKIM clean, DMARC present at p=quarantine, no BIMI, no blacklist hits. Translation: this company takes deliverability seriously, you should too. Send a clean, well-warmed mailbox, and don't try to use shared sender IPs.

The signals inside the signal

DMARC posture is a tell about engineering culture. Three patterns to watch:

Pattern 1 — fresh DMARC at p=none

Recent SOA serials on the _dmarc record + p=none means they just deployed DMARC and are in the monitoring phase. Translation: a CISO or VP Security shipped this in the last quarter. They're going to move to p=quarantine within 90 days. If you're a security tool, this is your moment.

Pattern 2 — p=reject with no subdomain policy

The half-DMARC pattern from above. Translation: security-conscious org, partial implementation. They probably have a SOC2 page (if not yet, they will). If you're a deliverability or security tool, the angle is "let's finish the implementation." If you're not, this is a SOC2/security-mature buyer profile — adjust your messaging accordingly.

Pattern 3 — no DMARC record at all

Translation: this company has not modernized email infrastructure. Either no security team, or the security team is buried in other things. Fine for outbound — your sequence will land. Less fine as an ICP signal — these companies are slow movers in general.

The pre-send checklist

Before any cold sequence to a new prospect, run this:

1. Pull DMARC: dig +short TXT _dmarc.{domain}. Check p= AND sp=.
2. If p=reject AND sp=reject: only send from a fully-authenticated mailbox with SPF alignment. Don't use a shared cold-email tool.
3. If p=quarantine: warm your mailbox for 14+ days first. Send 1 message, wait 24h, look for reply or bounce. If neither, you're probably in spam.
4. If p=none: send normally. Reply rates here will reflect copy quality, not auth.
5. If no record: send normally. Worry about your own deliverability instead — recipient won't catch you, but Gmail might.

This is what every Savy audit gives you in one line. The audit reads the record, classifies the posture, and tells you which playbook to run. Doing it manually for one prospect takes 90 seconds. Doing it for 200 takes a tool.

One more thing

The single highest-ROI deliverability move on YOUR sending domain isn't DMARC. It's warming a fresh mailbox slowly. A brand-new sender on a brand-new domain sending 50 cold emails on day one is a more reliable spam signal than any DMARC misconfiguration. If you're starting outbound this month, spend the first three weeks on warmup. The audit you read on prospects applies double to your own sender.

Run an audit on your own domain to see what your prospects see when they look you up. The result is usually informative.