Knowing DMARC Records and Setting Them Up Correctly
What is DMARC?
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Before you start
Before you set up DMARC, we recommend you set up Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). DMARC uses SPF and DKIM to verify that messages are authentic. Messages that do not pass SPF or DKIM trigger your DMARC policy.
DMARC with third-party email providers
For DMARC to effectively manage suspicious messages, messages should be sent from your own domain. Messages sent from third-party email providers for your organization can appear invalid and be rejected, depending on the DMARC policy.
To prevent messages from third-party email providers from being marked invalid:
- Share your DKIM key with the mail provider so they can add the key to outgoing messages.
- Ask the mail provider to send messages through your network.
Setup a DMARC Record in DNS
For this i assume you already have SPF and DKIM Records. You can add DMARC Record and setup it in 3 ways.
- Replace the example domain in these steps with your domain.
- Replace the example values with values for your own DMARC policy.
Add a DNS record at _dmarc
TXT record name: In the first field, under DNS Host name, enter:
_dmarc.example.com
TXT record value: In the second field, enter the values that define your DMARC policy, for example:
v=DMARC1; rua=mailto:dmarc-reports@example.com; p=quarantine; pct=90; sp=none
Here, v is for DMARC Protocol and is required, rua is to send DMARC Reports to your email address and is optional, p is how messages are handled and is required, pct is what Sets the percent of suspicious messages that the DMARC policy applies to, Suspicious messages are messages that fail the DMARC check and this is optional, sp is to set policy for sub domains if there is no different settings for them and its values can be same as values of p.
DMARC TXT record values (Source: Google)
Note: Gmail does not support the DMARC ruf tag, used to send failure (forensic) reports.
| Tag Name | Required | Description and values |
|---|---|---|
v | Required | Protocol version. Must be DMARC1. |
p | Required | Defines how your domain handles suspicious messages:
|
pct | Optional | Sets the percent of suspicious messages that the DMARC policy applies to. Suspicious messages are messages that fail the DMARC check. Must be a whole number between 1 and 100. The default is 100. |
rua | Optional | Email address to receive reports about DMARC activity for your domain. Use your own email address or create a new email address to receive reports. To send the report to more than one email address, separate emails with a comma. |
sp | Optional | Sets the policy for messages from subdomains of your main domain. Use this option if you want to use a different DMARC policy for your subdomains.
|
| adkim | Optional | Sets the Alignment mode for DKIM, which defines how exactly message information must match DKIM signatures.
|
aspf | Optional | Sets the Alignment mode for SPF (ASPF), which defines how exactly message information must match SPF signatures.
|
Godaddy Shared Hosting doesn’t supports DKIM Signing from Customer Domains as they disabled this is cPanel. Google Suite has its own method to setup DKIM Signing while SendGrid, Amazon SES and othersprovides these in their console.
Check for errors using MXChecker from Google
Recommended Free Service to Setup DMARC Record is https://dmarc.postmarkapp.com