DMARC record explained

What is DMARC?

DMARC is an abbreviation of Domain-based Message Authentication Reporting and Conformance, and it is a mechanism for secure email exchange that uses both SPF and DKIM. Having set up DMARC properly for your domain will reduce email phishing (thanks to the reporting of SPF) and spoofing (thanks to the encryption of DKIM). You will have a lot higher email sent success rate, and fewer emails of yours will end up in the spam folder.

Using DMARC will allow you to add an extra level of security on top of the SPF and DKIM.

You can set it up stronger, and even if SPF and DKIM pass, the DMARC still fails because of criteria.

You can make it lighter and limit the use to only SPF or only DKIM.

Why use it?

  1. To send emails uninterrupted. The emails will be encrypted, and the receiver will be able to unlock them with the public key. The presence of DMARC will indicate that the domain could be trusted.
  2. To stop others from using your domain name for phishing attacks. DMARC has the power to tell to the receiving servers – the domain is related to those particular servers. Anything different should be discarded immediately. It can work with allowing only good emails or stopping all bad emails, or both.

How to create a DNS DMARC record?

DMARC format and DMARC tags

DMARC is a TXT DNS record, which specifies the host (the domain name) and adds extra value for the incoming mail server of the receiver of the mails, so it knows how to react to the emails.

The extra values are tags. Here you have a list of all of the DMARC tags and what do they do:

TagDescriptionValues
adkimIt shows to the mail receiver, should it take “relaxed” or serious the DKIM pass.r – relaxed mode s – strict mode
AspfIt shows to the mail receiver, should it take “relaxed” or serious the SPF pass.r – relaxed mode s – strict mode
FoFailure options. What should the mail receiver do for reporting failures.0 – If no mechanism generates a pass, do a DMARC fail report. 1 – If one mechanism fails to pass. pass, do a DMARC fail report. d – DKIM specific error if the error comes from there. s – SPF specific error if the error comes from there.
PMail receiver policy, shows the receiver what policies shout it apply they apply them to the subdomains too.None – No action needed. Quarantine – The owner of the domain wants the receiver to quarantine the emails that fail the passes. Reject – the domain owner wants the receiver to reject the emails during the SMTP transaction.
pctTo what percentage should the DMARC policy apply.Value from 0 to 100 or a random value.
rfSpecifies the format of the report. It can use different data from SPF and DKIM too.The value could be afrf (auth-failure report type) arf (abuse reporting format), and more.
riRequest an aggregate report after an interval of time in seconds.The usual value here is a daily report.
ruaReturn feedback (aggregate). It indicates to the receiver where it should send the report of DMARC fails.The email address of the administrator of the domain.
rufReturn feedback (mail specific). It indicates to the receiver where it should send the report of DMARC fails.The email address of the administrator of the domain.
spSubdomain policy. The receiver could use this extra tag to know what to do in case of subdomain. if the domain owner wants a different policy than the main domain.A specific value for the subdomain.
vVersion. It must be the first tag ,and the value must be DMARC1.DMARC1