DMARC (Domain-based Message Authentication, Reporting and Conformance) is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing. The DMARC record allows easier to identify spam and/or phishing messages, received in the Customers's mailbox, and to keep them out of there.
In the example shown above, the sender requests that the receiver outright reject all non-aligned messages and send a report, in a specified aggregate format, about the rejections to a specified address. If the sender was testing its configuration, it could replace “reject” with “quarantine” which would tell the receiver they shouldn’t necessarily reject the message, but consider quarantining it.
DMARC records follow the extensible “tag-value” syntax for DNS-based key records defined in DKIM.
You can see the available tags here:
|pct||Percentage of messages subjected to filtering||pct=20|
|ruf||Reporting URI for forensic reports||ruf=mailto:firstname.lastname@example.org|
|rua||Reporting URI of aggregate reports||rua=mailto:email@example.com|
|p||Policy for organizational domain||p=quarantine|
|sp||Policy for subdomains of the OD||sp=reject|
|adkim||Alignment mode for DKIM||adkim=s|
|aspf||Alignment mode for SPF||aspf=r|
To add DMARC, you need to create a TXT record in your DNS Zone. You can see the example below:
A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. When an inbound mail server receives an incoming email, it uses DNS to look up the DMARC policy for the domain contained in the message’s “From” (RFC 5322) header. The inbound server then checks evaluates the message for three key factors:
With this information, the server is ready to apply the sending domain’s DMARC policy to decide whether to accept, reject, or otherwise flag the email message.
After using DMARC policy to determine the proper disposition for the message, the receiving mail server will report the outcome to the sending domain owner.
DMARC is the latest trend in email authentication technics. It helps protect domains from being spoofed and from fraudulently sent emails. DMARC is a free and open technical specification that is used to authenticate an email by aligning SPF and DKIM mechanisms. This is why DMARC is used only if SPF and DKIM records are already added to the DNS for your domain name.
To add DMARC, go to your DNS zone management page and click on “Add new record”. For "Type" select "TXT" and type as follows:
*This hostname is used as an example.
Some best practices for DMARC record configuration include:
Additionally, you should review your records every time you make changes to your mailbox settings to ensure that any new changes are implemented correctly.
We will show you how you can check your DMARC records if they are visible in the DNS using different commands:
$ dig _dmarc.cloudns.net txt
You need to replace “cloudns.net” with the domain you want to query. In addition, keep in mind that TXT must be specified as the type of record that you are looking for at the end of the command.
$ nslookup -q=txt _dmarc.cloudns.net
Again, replace “cloudns.net” with the domain you want to query. After running the command, you should see a DMARC record and any errors or warnings associated with it.
$ host -t txt _dmarc.example.com
Press Enter and check the results!
Furthermore, to check DMARC records, you could use an online DNS record lookup tool such as the ClouDNS Free DNS tool.
DMARC reports are generated by inbound mail servers as part of the DMARC validation process. There are two formats of DMARC reports:
ClouDNS provides full support for DMARC records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your DMARC records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.
Question: Where is the option for adding a DMARC record? I cannot see it.
Answer: DMARC can be implemented by adding a TXT record, as described in this article.
Question: How can I generate the values for my DMARC record?
Answer: There are plenty of DMARC generators and DMARC wizards on the Internet. You can use any of them.
Question: What types of policies can I set with a DMARC record?
Answer: You can set three main types of policies with a DMARC record: none, quarantine, and reject. These policies can be used to determine how email platforms should handle emails from a particular domain.
Question: What should I do if I find suspicious activity on my DMARC reports?
Answer: If you find suspicious activity on your DMARC reports, you should immediately address the issue by setting up a more restrictive policy or tightening security on your domain. Additionally, you should also report the issue to the email address provided in the reports.
Question: How often should I review my DMARC record?
Answer: You should review your DMARC record whenever you make changes to your mailbox settings, as this will ensure that any new changes are properly implemented.