DMARC Record

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing. The DMARC record allows easier to identify spam and/or phishing messages, received in the Customers's mailbox, and to keep them out of there. 

Example of DMARC record:

Host Type Points to: TTL
_dmarc.yourdomain.com TXT v=DMARC1;p=reject;pct=100;rua=mailto:mailmaster@postmaster.com 3600

In the example shown above, the sender requests that the receiver outright reject all non-aligned messages and send a report, in a specified aggregate format, about the rejections to a specified address. If the sender was testing its configuration, it could replace “reject” with “quarantine” which would tell the receiver they shouldn’t necessarily reject the message, but consider quarantining it.
DMARC records follow the extensible “tag-value” syntax for DNS-based key records defined in DKIM.

You can see the available tags here:

Tag name Purpose Sample
v Protocol version v=DMARC1
pct Percentage of messages subjected to filtering pct=20
ruf Reporting URI for forensic reports ruf=mailto:authfail@example.com
rua Reporting URI of aggregate reports rua=mailto:aggrep@example.com
p Policy for organizational domain p=quarantine
sp Policy for subdomains of the OD sp=reject
adkim Alignment mode for DKIM adkim=s
aspf Alignment mode for SPF aspf=r

 To add DMARC, you need to create a TXT record in your DNS Zone. You can see the example below:

Why do you need a DMARC record?

DMARC is the latest trend of the email authentication technics. It is a free and open technical specification that is used to authenticate an email by aligning SPF and DKIM mechanisms.Which is why DMARC is used only if SPF and DKIM records are already added in the DNS for your domain name.

How to create a DNS DMARC record?

To add DMARC, go to your DNS zone management page and click on “Add new record”. For "Type" select "TXT" and type as follows:

  • Type: TXT
  • TTL: 1 Hour
  • Host: _dmarc*
  • Points to: dmarc tags and values.

*This hostname is used as an example.

How to add a DMARC Record - Step by Step video:

How to start managing DMARC records for your domain name?

  1. Open free account from here - free forever
  2. Verify your e-mail address
  3. Log into your control panel
  4. Create a new Master DNS from the [add new] button - read more here
  5. Add the DMARC records you need as it is described in this article

How does DMARC record work?

A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. When an inbound mail server receives an incoming email, it uses DNS to look up the DMARC policy for the domain contained in the message’s “From” (RFC 5322) header. The inbound server then checks evaluates the message for three key factors:

  • Does the message’s DKIM signature validate?
  • Did the message come from IP addresses allowed by the sending domain’s SPF records?
  • Do the headers in the message show proper “domain alignment”?

With this information, the server is ready to apply the sending domain’s DMARC policy to decide whether to accept, reject, or otherwise flag the email message.

After using DMARC policy to determine the proper disposition for the message, the receiving mail server will report the outcome to the sending domain owner.

DMARC report - what is it?

DMARC reports are generated by inbound mail servers as part of the DMARC validation process. There are two formats of DMARC reports:

  • Aggregate reports, which are XML documents showing statistical data about the messages received that claimed to be from a particular domain. Date reported includes authentication results and message disposition. Aggregate reports are designed to be machine-readable.
  • Forensic reports, which are individual copies of messages which failed authentication, each enclosed in a full email message using a special format called AFRF. Forensic report can be useful both for troubleshooting a domain’s own authentication issues and for identifying malicious domains and web sites.

How to check my DMARC records?

We will show you how you can check your DMARC records if they are visible in the DNS using different commands:

  • dig _dmarc.example.com TXT ( Have in mind, that TXT must be specified as type of record that you are looking for at the end of the command.)
  • nslookup -type=txt _dmarc.example.com
  • host -t txt _dmarc.example.com

Support of DMARC records

ClouDNS provides full support for DMARC records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your DMARC records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.

FAQ

Question: Where is the option for adding a DMARC record? I cannot see it.

Answer: DMARC can be implemented by adding a TXT record as described in this article.

Question: How can I generate the values for my DMARC record?

Answer: There are plenty of DMARC generators and DMARC wizards on the Internet. You can use any of them.


Last modified: 2022-01-14
Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more