DMARC (Domain-based Message Authentication, Reporting and Conformance) is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing. The DMARC record allows easier to identify spam and/or phishing messages, received in the Customers's mailbox, and to keep them out of there.
Host | Type | Points to: | TTL |
_dmarc.yourdomain.com | TXT | v=DMARC1;p=reject;pct=100;rua=mailto:mailmaster@postmaster.com | 3600 |
In the example shown above, the sender requests that the receiver outright reject all non-aligned messages and send a report, in a specified aggregate format, about the rejections to a specified address. If the sender was testing its configuration, it could replace “reject” with “quarantine” which would tell the receiver they shouldn’t necessarily reject the message, but consider quarantining it.
DMARC records follow the extensible “tag-value” syntax for DNS-based key records defined in DKIM.
You can see the available tags here:
Tag name | Purpose | Sample |
v | Protocol version | v=DMARC1 |
pct | Percentage of messages subjected to filtering | pct=20 |
ruf | Reporting URI for forensic reports | ruf=mailto:authfail@example.com |
rua | Reporting URI of aggregate reports | rua=mailto:aggrep@example.com |
p | Policy for organizational domain | p=quarantine |
sp | Policy for subdomains of the OD | sp=reject |
adkim | Alignment mode for DKIM | adkim=s |
aspf | Alignment mode for SPF | aspf=r |
To add DMARC, you need to create a TXT record in your DNS Zone. You can see the example below:
DMARC is the latest trend of the email authentication technics. It is a free and open technical specification that is used to authenticate an email by aligning SPF and DKIM mechanisms.Which is why DMARC is used only if SPF and DKIM records are already added in the DNS for your domain name.
To add DMARC, go to your DNS zone management page and click on “Add new record”. For "Type" select "TXT" and type as follows:
*This hostname is used as an example.
A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. When an inbound mail server receives an incoming email, it uses DNS to look up the DMARC policy for the domain contained in the message’s “From” (RFC 5322) header. The inbound server then checks evaluates the message for three key factors:
With this information, the server is ready to apply the sending domain’s DMARC policy to decide whether to accept, reject, or otherwise flag the email message.
After using DMARC policy to determine the proper disposition for the message, the receiving mail server will report the outcome to the sending domain owner.
DMARC reports are generated by inbound mail servers as part of the DMARC validation process. There are two formats of DMARC reports:
We will show you how you can check your DMARC records if they are visible in the DNS using different commands:
ClouDNS provides full support for DMARC records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your DMARC records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.
Question: Where is the option for adding a DMARC record? I cannot see it.
Answer: DMARC can be implemented by adding a TXT record as described in this article.
Question: How can I generate the values for my DMARC record?
Answer: There are plenty of DMARC generators and DMARC wizards on the Internet. You can use any of them.