In this article, we will discuss DMARC records and how they work. Using a DMARC record helps protect your domain from spam and spoofing and improves email deliverability and trust. DMARC is used with SPF or DKIM.
As of February 2024, Google and Yahoo will begin rejecting emails from senders without a DMARC record/policy on their sending domain. A minimal policy, such as
v=DMARC1; p=none;
is required. For help creating a DMARC record for your domain, you can try using a DMARC generator tool.
Table of Contents
- Requirements
- What is DMARC?
- What is a DMARC record?
- How does it work?
- Conclusion
- Troubleshooting
- Additional Information
Requirements
- A custom domain with access to DNS settings
- SPF or DKIM set up for the sending domain
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) helps receiving mail systems decide what to do with messages from your domain that fail SPF or DKIM checks.
It also validates the sender’s From or Header From address (RFC5322.From
), which is visible to recipients in their email clients, with the domain from SPF or DKIM. This is important because SPF and DKIM can pass even if they do not match the domain in the sender’s “From Address.”
Finally, it instructs email servers to send reports about DMARC results so that you can stay informed about email-sending activity on your domain.
What is a DMARC record?
A DMARC record is a TXT
-type DNS record named _dmarc
that defines the policy and other options for email servers. The record consists of tags assigned with values using an equal sign, separating each pair with semicolons.
Here is an example of a minimal DMARC record:
v=DMARC1; p=none;
For help creating a DMARC record for your domain, you can try using a DMARC generator tool.
These are some of the commonly used tags you can use to set up your domain’s DMARC record:
v
: (Required) This tag is the DMARC protocol version. Currently, there is only one version,DMARC1
.p
: (Required) This tag tells email servers what to do with messages from your domain if the DMARC check fails. This is known as the “policy”. You have three options:none
: This policy instructs email servers to deliver the message to the recipient’s inbox anyway.quarantine
: This policy instructs email servers to deliver the message to the recipient’s spam folder.reject
: This policy instructs email servers to reject the message, resulting in a bounce, and not deliver it at all.
pct
: This tag defines the percentage of messages you want checked with DMARC. You can pick any number between one (1
) and one hundred (100
). By default, all messages are checked (100
).aspf
: This tag sets the alignment mode for the SPF domain check. You have two options (by default, “Relaxed” is used):r
: (“Relaxed”) This mode allows the SPF check to use a different subdomain than the From domain.s
: (“Strict”) This mode requires the SPF domain and From domain to match exactly, or DMARC will not pass.
adkim
: This tag sets the alignment mode for the DKIM domain check. You have two options (by default, “Relaxed” is used):r
: (“Relaxed”) This mode allows the DKIM check to use a different subdomain than the From domain.s
: (“Strict”) This mode requires the DKIM domain and From domain to match exactly, or DMARC will not pass.
rua
: This tag lists the recipients who should receive DMARC aggregate reports (a report of all DMARC results from your domain for the specified interval). The recipient address should be on this domain; otherwise, you must add DNS records to their domain. Example:mailto:postmaster@mydomain.com
ruf
: This tag lists the recipients who should receive DMARC “forensic” reports (a report of DMARC results with full details about the messages). The recipient address should be on this domain; otherwise, you must add DNS records to their domain. Most providers do not send forensic reports as they may contain sensitive information. Example:mailto:postmaster@mydomain.com
ri
: This tag sets the interval at which reports should be sent. This defaults to 86,400 seconds (86400
) (24 hours), the lowest possible value. You may set a higher value if you wish.
How does it work?
Authentication
The receiving server will first check if either SPF or DKIM passed. Then, it will check if the domain used by SPF (Return-Path
) or the domain used by DKIM (d=
) aligns with the “From” domain. Finally, it will extract the DMARC policy published in the DNS record for the “From” domain and comply with it.
The overall logic is as follows:
- If SPF passes and aligns with the “From” domain, then DMARC will pass.
- If DKIM passes and aligns with the “From” domain, then DMARC will pass.
- If both SPF and DKIM fail, then DMARC will fail.
So DMARC not only requires that either SPF or DKIM pass, but the domains used by whichever one passed to align with the domain found in the “From” address. Only then will DMARC Authentication pass.
The alignment mode can be set for both SPF and DKIM separately. By default, a relaxed (r
) alignment mode is used, which allows subdomains to be used in the SPF and DKIM checks when comparing them to the “From” domain. Otherwise, strict (s
) alignment mode requires the domains to match exactly, or it will not pass the DMARC Authentication check.
Examples:
v=DMARC1; p=none; adkim=s;
v=DMARC1; p=none; aspf=r;
Reporting
Whenever an email is sent using your domain, and DMARC is checked, the result (pass or fail) is added to an aggregate report, which is periodically sent to an email address specified in the record through the rua
tag. Forensic reports can also be sent for failures by specifying an email address with the ruf
tag; however, most providers will not send forensic reports as they may contain sensitive information. The email addresses should belong to the same domain to which you are adding the record; otherwise, you must be able to configure additional DNS records on the email domain you specify.
You can also define the reporting interval between when reports should be sent by using the ri
tag. By default, it will use 86400
seconds, which equals 24 hours.
Examples:
v=DMARC1; p=none; rua=mailto:postmaster@mydomain.com; ri=86400;
v=DMARC1; p=none; ruf=mailto:postmaster@mydomain.com; ri=604800;
Conformance (Policy)
DMARC policy tells the receiving server how to handle failed DMARC checks. The policy can be set using the p
tag. You may also specify the percentage of message traffic you want to be verified with DMARC using the pct
tag. By default, this is 100%.
Examples:
v=DMARC1; p=reject;
v=DMARC1; p=reject; pct=100;
Some people like to start with a quarantine
policy and a low pct
percentage value (maybe 50 or less) while testing their settings to ensure they are configured correctly. Once everything is verified to be working and passing correctly, switching to the reject
policy and removing the pct
tag to enforce 100% is recommended.
Conclusion
Congratulations! You now have the information necessary to configure a DMARC record for your domain that suits your needs. For help with creating a DMARC record for your domain, you can try using a DMARC generator tool.
Troubleshooting
- A domain registrar or DNS provider does not support
TXT
records longer than 255 characters.- In this case, please use a different DNS provider, such as Cloudflare, to manage your domain’s DNS records. Please see Cloudflare’s documentation for more details.
Additional Information
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article