DMARC, or Domain-based Message Authentication, Reporting & Conformance is used in conjunction with SPF and DKIM to help protect against email spoofing and phishing attacks. Spoofing happens when a scammer edits the From field of an email message to impersonate someone from within your domain. DMARC uses a policy that is given by your email provider. This policy tells the receiving email host how to treat emails sent from your domain based on the criteria that you set in the DMARC DNS record. Enabling a DMARC policy also gives insight into reports on what your domain is sending, and how receiving mail hosts are treating the email messages from your domain.
DMARC enforces SPF and DKIM. DMARC is useful only if a domain owner has already set up SPF and DKIM records. Before creating and getting ready to deploy DMARC, you must first create an SPF record, then create a DKIM record, and lastly create a DMARC record policy. The policy allows you to decide how to handle email that fails SPF or DKIM and is not DMARC compliant.
What is Email Spoofing?
Spoofing occurs when a malicious actor forges the "From" field of an email to impersonate someone within your domain, often to trick recipients into believing the email is legitimate. DMARC helps prevent this by applying policies that tell the receiving email server how to treat unauthorized emails that fail the SPF or DKIM checks.
How DMARC Works
DMARC requires a policy to be set within the DMARC DNS record of your domain. This policy defines how the receiving email server should handle emails based on the results of SPF and DKIM authentication. You can set different DMARC policies, such as:
- DMARC reject: Rejects unauthorized emails outright, preventing them from being delivered to the recipient. This is the strictest level of enforcement.
- DMARC quarantine: Moves unauthorized emails to the recipient's spam or junk folder instead of blocking email senders entirely. This allows the recipient to review suspicious messages without direct delivery to their inbox.
Setting Up DMARC
To use DMARC, it’s important to first set up SPF and DKIM records. Once those are in place, you can configure the DMARC policy. The DMARC policy allows you to decide how to handle email that fails SPF or DKIM and does not comply with DMARC.
Example DMARC policies
These are some example policies and how they appear in the DNS TXT record.
| DMARC Policy action | DMARC TXT record |
|---|---|
| No action taken on messages that fail the DMARC check. Email a daily report to dmarc@yourdomain.com. | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com |
|
Deliver 10% of the messages that fail the DMARC check in recipients' spam folders. Email a daily report to dmarc@yourdomain.com. |
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com |
|
Reject 100% of messages that fail the DMARC check. Email a daily report to two addresses: postmaster@yourdomain.com and dmarc@yourdomain.com. Failed messages (email that fails DMARC ) result in an SMTP bounce back message to sender. |
v=DMARC1; p=reject; rua=mailto:postmaster@yourdomain.com, mailto:dmarc@yourdomain.com |
Add a TXT record to turn on DMARC
To turn on DMARC, update your domain settings with a DNS TXT record. It is advised that when introducing the policy enforcement should be set to none (p=none), so that whilst starting out there will be no adverse effects on email delivery for legitimate emails. This helps ensure everything is working properly and you don't accidentally send all your outbound email to the spam folder.
Add a TXT record to turn on DMARC
Follow these steps to add a DMARC TXT record for your domain:
- Login to the Client Area and click the domains tab.
- Find the domain name you wish to edit from the list and select Manage Domain from the drop-down.
- On the left overview menu, select DNS Management.
- Select txt as the record type and enter the DMARC policy you have chosen, replacing the example domain and values with your own.
DMARC TXT record values explained
This example DMARC record below is a good place to start with although there will be no actions taken other than the sending of the reports.
| Host Name | Record Type | Address |
|---|---|---|
|
_dmarc |
SPF (txt) | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com |
DMARC TXT record values explained
| Tag Name | Required | Description and values |
|---|---|---|
|
v |
Required | Protocol version. Must be DMARC1. |
|
p |
Required |
Defines how your domain handles suspicious messages:
|
|
pct |
Optional |
Sets the percent of suspicious messages that the DMARC policy applies to. Suspicious messages are messages that fail the DMARC check and are set to quarantine or reject the message based on the policy you set. Must be a whole number between 1 and 100. The default is 100. |
|
rua |
Optional |
Email address to receive DMARC reports for your domain. Use an email alias or create a new email address to receive sending email of these reports. The email address must include mailto:, for example: mailto:dmarc-reports@yourdomain.com To send the report to more than one email address, separate emails with a comma to have more email receivers, and use no more than 2 emails as some services have been reported to ignore more than 2 DMARC notifications. |
|
sp |
Optional |
The subdomain policy is applied to all subdomains of the domain. It uses the same format as the p value above.
|
| adkim | Optional |
This value allows you to set strict (
|
|
aspf |
Optional |
This value has the same settings and impact as the DKIM value above, but is for SPF instead.
|
