DMARC

Everything you need to know about DMARC, what is DMARC record and how to enable DMARC for your domain

Domain-based Message Authentication, Reporting & Conformance, or DMARC, is a technical standard that protects both the senders and the recipients.

DMARC record explained

DMARC goes along with the SPF and DKIM, meaning in order for an email to pass DMARC it must pass SPF authentication and SPF alignment and/or pass DKIM authentication and DKIM alignment. Basically, if the SPF and DKIM fail, DMARC lets the domain owner decide what should happen to an email via a DMARC policy.

There are three DMARC policies the domain owner can enforce:

  • none (the message is delivered to the recipient and the DMARC report is sent to the domain owner)

  • quarantine (the message is moved to a quarantine folder) and

  • reject (the message is not delivered at all).

There are only four attributes found in most DMARC DNS records. These are:

  • v — ‘DMARC1’ for the current DMARC revision. This attribute must appear first.

  • p — Specifies the enforcement level requested by the sender. Allowed values are ‘none’, ‘quarantine’, and ‘reject’. This attribute is required and must be the second attribute in the record.

  • rua — A comma-separated list of URLs for aggregate report delivery. These are typically ‘mailto’ URLs. This attribute is optional.

  • ruf — A comma-separated list of URLs for forensic/failure report delivery. These are typically ‘mailto’ URLs. This attribute is optional.

So a sample DMARC record for example.com might be:

v=DMARC1; p=quarantine; rua=mailto:dmarc_agg@vali.email; ruf=mailto:dmarc-reports@example.com

How to configure DMARC record

It is possible to define a DMARC policy in a DNS record without first setting up SPF and DKIM, however, without SPF and DKIM set up, DMARC would not be able to do anything.

DMARC policies define how SPF and DKIM records should be handled by email servers. A critically important element of DMARC policy is that it also provides a reporting mechanism so domain administrators can identify if emails are failing or if an attacker is attempting to spoof a given domain.

Just like SPF, DMARC is a simple one-line entry in the domain's DNS records. Log in to your domain registrar and click on the option to manage or configure DNS settings. Find and click the 'Add a New Record' option and choose a 'TXT' record.

Here's a sample DMARC entry for the test domain DMARC site: v=DMARC1; p=quarantine; rua=mailto:reports@dmarc.site; ruf=mailto:reports@dmarc.site; adkim=r; aspf=r; rf=afrf

Why should I add DMARC record?

Since DMARC helps build your domain reputation, security and visibility, you would be building a strong and secure bridge between your organization and the organization you are trying to contact.

If you've read our introduction to email authentication, you might remember the envelope. Basically, DMARC lets the receiver verify that the delivery address (on the envelope) matches the user-visible address (the letter inside) and that the person who sent it is allowed to do so.

With this in mind, we definitely recommend setting up all authentication standards that will help and protect both you and the other side.

PreviousDKIMNextHow to test your DNS set up

Last updated