What Is a DMARC Record?
A DMARC record defines the DMARC record rule sets and serves as the foundation of a DMARC implementation. If a domain is set for DMARC, DMARC records alert email recipients. It contains the domain owner's policy. A DMARC entry also includes a DNS (Domain Name Service) entry. To utilize DMARC, you must first set up a DMARC DNS record. This DMARC record will be utilized by email recipients who have DMARC enabled in their emailing system.
This will result in the tracking of all emails sent to the organization's domain, taking into consideration the organization's DMARC policy. Because DMARC entries are kept in the DNS, they are instantaneously available to every mail server on the Internet. A system may obtain the DMARC record for any domain and use it to assess if an email is valid or not as long as it has access to its DNS. Organizations issuing DMARC records will be able to declare how violations should be addressed. These communications can be tracked, delivered, discarded, or denied.
The DMARC record should be placed in the DNS of your domain. The TXT record name should be “_dmarc.yourdomain.com” where “yourdomain.com” is replaced with your actual domain name. Using a DMARC Generator, EmailAuth helps to easily generate the DMARC record of any domain. Users are allowed to use the DMARC generator to generate a sample DMARC record.
DKIM and SPF must be configured before deploying DMARC. DKIM and SPF should be validating email messages for at least 48 hours before DMARC is turned on. Once everything is in place, follow these steps to create a DMARC record:
Note: These steps should be performed in the management console for your domain host.
- Be ready with the text file or line that consists of your DMARC policy record.
- Sign in to the management console for your domain host.
- Find the page where you updated your DNS records.
- Add your DNS TXT record, or update an existing record, by inserting your record in the TXT record for _dmarc.
- In the first field, under the DNS Hostname, enter _dmarc.yourdomain.com. Note that some domain hosts automatically add the domain name after _dmarc. After you add the TXT record, verify the DMARC TXT record name for its correct formatting.
- In the second field, enter the text for your DMARC record. For example: v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org
- Save your changes.
Required Tags of a DMARC Record
v: This is the version tag used to identify the retrieved record as a DMARC record. Its value must be DMARC1 and it must be the first entry in the DMARC record.
p: This is the tag that defines the policy you want mailbox providers to use if your email fails DMARC authentication and alignment tests. Unless the ‘sp’ tag (see below) with a different policy value is used, the policy is applied to a major domain (example.com) and all of its subdomains (m.example.com, b.example.com, and so on). The policy values are ‘none’, ‘quarantine’, and ‘reject’.
Recommended Tags of a DMARC Record
- rua=mailto:email@example.com: This is a tag that tells mailbox providers where you want aggregate reports sent. DMARC Aggregate reports uncover possible authentication issues or fraudulent activities, giving you visibility into the health of your email program. These reports contain more detailed information and are sent out on a daily basis by participating mailbox providers.
- fo: This is a tag that informs mailbox providers that you require message samples from emails that failed SPF and/or DKIM. There are four different price points to choose from:
0: Generate a DMARC failure report if all underlying authentication mechanisms (SPF and DKIM) fail to produce an aligned “pass” result. (Default)
1: Generate a DMARC failure report if any underlying authentication mechanism (SPF or DKIM) produced something other than an aligned ‘pass’ result. (Recommended)
d: Generate a DKIM failure report if the message had a signature that failed evaluation, regardless of its alignment.
s: Generate an SPF failure report if the message failed SPF evaluation, regardless of its alignment.
- sp: This tag denotes a proposed policy for all subdomains whose email fails the DMARC authentication and alignment tests. It works well when a domain owner wishes to set distinct policies for the parent domain including all subdomains. The policy options are the same as those provided for the “p” tag above. If this tag is not used for subdomains, the policy defined with the p tag applies to the parent domain and all of its subdomains.
- adkim: Indicates strict or relaxed DKIM identifier alignment. The default is relaxed.
- aspf: Indicates strict or relaxed SPF identifier alignment. The default is relaxed.
- pct: The proportion of messages that will be subject to the DMARC policy. This tag allows you to progressively apply and assess the policy's impact. Values are integers ranging from 1 – 100. The default value is 100.
- ruf=mailto:firstname.lastname@example.org: This tag instructs mailbox providers where you want your forensic (message-level) reports sent. Forensic reports are more extensive and are designed to be supplied immediately after a DMARC authentication failure is detected by mailbox providers. Most mailbox providers, however, do not transmit them because of potential privacy and performance problems.
- rf: Authentication Failure Reporting Format, or ‘afrf’, is the default. At the moment, ‘afrf’ is the only supported value.
- ri: The amount of time required to be passed between delivering aggregate reports to the sender. The default number is 86400 seconds, which is one day. Participating mailbox providers who can transmit more than one aggregate report per day will deliver more frequent reports on a best-effort basis.