To that end, let me take a moment to jot down some recommendations for folks who are considering implementing DMARC.
- Testing and monitoring is very important. When you sign up to DMARC-Discuss, please also create a Gmail account, and subscribe that address to the list as well. If your list messages go to the spam folder, take a look at your DKIM or DMARC settings-- my experience is that when this happens, you've probably got something set wrong, or your policy/configuration choice is overreaching (and perhaps poorly considered). Keep in mind that you're making it harder for people to read your posts and respond to them. Not everybody's going to go to the trouble of whitelisting you or clicking "not spam" every time you post.
- Remember that DMARC doesn't play nice with mailing lists. DMARC is all about preventing misuse of your domain name, and it is very strict, by design. It's very easy for mailing lists posts from a DMARC-using domain name to fail a DMARC check, because most mailing lists rewrite the return path or make other changes to the message, potentially invalidating a DKIM signature. Some folks would say that DMARC really has no place for usage on a domain with real, live users. That's open to debate, but certainly, operational complexity increases.
- Remember that DMARC wasn't really intended for use on hobbyist domains. If your domain name only has three valid users, and this includes your wife and dog, then you probably aren't a valuable phishing target. I see a lot of people struggle to configure DMARC, spending effort on implementing it on domains that just do not need it. (Though I understand the desire to learn by testing it on your own domain name, or a small domain name, before implementing it on some large known-brand domain name you manage.)