service/email.md

@@ -287,13 +287,24 @@ reject attempts from servers not in the `A` or `AAAA` record of
 
 ### DMARC records
 
-A good start for a DMARC record is:
+[DMARC](https://en.wikipedia.org/wiki/DMARC) records glue together SPF and DKIM to tell which *policy*
+to apply once the rules defined above check out (or not). It is
+defined in [RFC7489](https://www.rfc-editor.org/rfc/rfc7489.html) and has a [friendly homepage](https://dmarc.org/) with a [good
+introduction](https://dmarc.org/overview/).
+
+Our current DMARC policy is:
 
     _dmarc  IN  TXT "v=DMARC1;p=none;pct=100;rua=mailto:postmaster@torproject.org"
 
 That is a "soft" policy (`p=` is `none` instead of `quarantine` or
 `reject`) that applies to all email (`pct=100`) and sends reports to
-the postmaster.
+the `postmaster@` address.
+
+Note that this applies to *all* subdomains by default, to change the
+subdomain policy, the `sp=` mechanism would be used (same syntax as
+`p=`, e.g. `sp=quarantine` would apply the `quarantine` policy to
+subdomains, independently of the top domain policy). See [RFC 7489
+section 6.6.3](https://www.rfc-editor.org/rfc/rfc7489.html#section-6.6.3) for more details on discovery.
 
 ## Upgrades