DMARC stands for Domain-based Message Authentication Reporting and Conformance. A DMARC record tells email servers/receivers what the domain owner’s policy is regarding non-compliant email. For example, if your email is missing an SPF record or a DKIM record, should they allow it through, quarantine it or reject it. This is called an “alignment” check.
Additionally, the DMARC record lets you specify a feedback email address where mail servers can provide reports about the mail received and what actions were taken with it.
A DMARC record is simply a DNS TXT (text) record containing the string of parameters a receiving mail server would look for. Here is an example of a record for our test domain, example.com:
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; pct=70; fo=1;
Here is a breakdown of the different components you see above in the string:
|v||This tag is simply the DMARC version and is required to be set to DMARC1 until a version 2 comes out.|
|p||The p tag defines what the recipient mail server should do if the mail fails any alignment checks. The options are:
|adkim||If you want the recipient mail server to consider the absence of DKIM strictly, set this tag adkim=s. If you want it relaxed, then this entire part of the string should be removed.|
|aspf||If you want the recipient mail server to consider the absence of a SPF record in your domain strictly, set this value aspf=s. If you want it relaxed, then this entire part of the string should be removed|
|rua||This is where you want the Aggregate report email sent. If you do not want this email, do not include the rua= part in the string.|
|ruf||This tag is where you want the Forensic feedback email sent. If you do not want this email, do not include the ruf= part in the string|
|pct||This tag is the percentage of mail that the recipient server should apply your DMARC policy to. In our case above, it is 70 percent. If you want it applied to 100%, then you can set it to 100 or simply leave the pct= part out of the string|
|fo||This tag lets the recipient mail server know if you want samples of emails that failed SPF and/or DKIM. 0=send a report if both SPF and DKIM fail. 1=send a report if either SPF or DKIM fail.|
|rf||You don’t see the rf tag in our example above. It is for the format of the message failure reports, but since the only format supported right now is “afrf” (Authentication Failure Reporting Format), it isn’t needed at all|
|ri||You also don’t see the ri tag above in our example. This is the number of seconds between sending aggregate reports. The default is 86400 seconds which is equal to one day. So if you want to change that from the default, you now know how!|
Of the tags listed above, only the v and p are required. The rest are optional.
As you can see, there are quite a number of tags to consider, and creating your own DMARC record will depend entirely on what actions you want the recipient mail server to take. We highly recommend this handy DMARC wizard which will walk you through the entire process of creating a record for your own domain(s).
Once you have run through the wizard or created your own DMARC string, adding it to DNS is pretty straightforward.
You’ll want to create a new TXT record. The “Host” value will be “_dmarc” (without the double quotes, of course). Then the “Text” part of the record will be the string you created. Here is an example of ours:
Of course, if you need help, that’s what we’re here for! Just reach out via chat (if we’re online) or create a support case.