Up: DNS

DMARC Records

Domain-based Message Authentication, Reporting, and Conformance (DMARC) records can be used with SPF and/or DKIM records to help protect domains against email spoofing.

A DMARC record is added to DNS as a TXT record. There are 5 key parts to a DMARC record:

  • The Host Name: This is always _dmarc

    The host name is required in a DMARC record
  • The Version Number: This is always v=DMARC1, which means the first version of DMARC.

    The version number is required in a DMARC record
  • The Policy: This tells mail servers what to do if a message fails SPF and/or DKIM checks. The policy can be to reject an email, quarantine and email, or to do nothing. Setting p=reject means messages won’t be delivered if they fail checks. Setting p=none means the receiving mail server can decide what to do. Setting p=quarantine means the mail will get delivered but it will be marked as spam.

    A policy is required in a DMARC record.
  • The Reports Address: This lets you collect statistics on email usage on your domain and how often messages fail SPF and DKIM checks. The general format is rua=mailto:dmarcreport@example.com, where you replace dmarcreport@example.com, with an address that should receive the statistics.

    A Reports address is optional in a DMARC record.
  • The Authentication Methods: You can specify if SPF and/or DKIM should be checked, and whether the checks should apply to sub-domains.

    Authentication methods are optional.

A DMARC record if you only want statistics

You can add this record if you want statistics about email usage without doing anything else.

Host Name: _dmarc
Text: v=DMARC1; p=none; rua=mailto:dmarcreport@example.com

Replace dmarcreport@example.com with an address that should receive reports about messages sent from the domain.

A DMARC record if you want to quarantine mail

You can add this record if you want to quarantine mail that fails checks.

Host Name: _dmarc
Text: v=DMARC1; p=quarantine; rua=mailto:dmarcreport@example.com

You can remove ; rua=mailto:dmarcreport@example.com if you do not want to receive statistics.

Additional Information About DMARC Records

Authentication methods can be SPF, DKIM, or both. The methods also include whether you want Strict matching or Relaxed matching.

Strict matching means the domain in the From address must match the domain in the headers. Relaxed means the domain in the From address can match with the domain or subdomain in the headers. If you send email from name@example.com but the message comes from name@mail.exmaple.com, strict matching will not authenticate the message. Relaxed matching will authenticated the message. If you mail host uses sub-domains, you may want to use relaxed matching.

You can add one type of DKIM matching and/or one type of SPF matching, but you can’t use both relaxed and strict matching for the same type of authentication. Here are some options you can add to your record:

adkim=r;

adkim=s;

aspf=r;

aspf=s;

Use DKIM authentication with relaxed matching

Use DKIM authentication with strict matching

Use SPF authentication with relaxed matching

Use SPF authentication with strict matching

You can visit the DMARC FAQ for more detailed information.

BACK Last updated: 6/23/23