How to Create a DMARC Record

How to Create a DMARC Record

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an essential email authentication protocol that helps validate the authenticity of emails sent from your domain. By implementing DMARC, you can prevent spoofed senders, enhance email deliverability, and help protect against phishing attacks.

What is a DMARC Record?

A DMARC record is a TXT record published in your domain’s DNS (Domain Name System). It specifies how email receivers should handle messages from your domain.

After the recipient mail server has carried out SPF and DKIM checks, DMARC indicates strictly applied the checks should be, how failing emails should be treated, where reports about those emails should be sent, and a variety of other options.

Creating a DMARC Record

A DMARC record consists of various options indicating the policy that should be applied, and where reports should be sent.

A few of the possible options are:

  • v: Version of DMARC. This is likely DMARC1.
  • p: Policy, none (act as if no DMARC record exists), quarantine (treat as spam), reject (discard the email).
  • rua: The address to send the aggregate reports to.
  • ruf: The address to send the forensic reports to.
  • pct: The percentage of emails the policy should be applied to.
  • sp: The policy to be applied to subdomains. This has the same possible values as the policy option.

You can use a DMARC record generator to create the required DMARC record, the page also includes a list of all the available options with explanations.

After creating your DMARC record it will need to be added as a TXT DNS record for the domain with the name _dmarc. For example:

_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com"

It is recommended that the policy is initially set to none until you have tested and validated that the DMARC record is not rejecting good emails. After this has been done, the DMARC record policy can be modified to quarantine and then eventually reject emails which fail checks.

Reporting

One of the features of DMARC is reporting. This allows mail servers to send information about emails which have been received on behalf of a domain to designated addresses. This can be an email address, or a service such as Cloudflare’s DMARC management.

This reporting allows you to identify sources of good email which are unintentionally failing checks, and sources of bad email which may be passing checks. This means that over time, your SPF, DKIM and DMARC records can all be updated as necessary to achieve the desired results.

Summary

A DMARC record is essential for all domains regardless of if they send emails or not. Having a DMARC record helps to prevent email spoofing and domains being used as part of phishing campaigns.