WHAT IS DMARC
What is a DMARC record?
A DMARC record is a TXT record published in the DNS on your domain, under _dmarc.yourdomain.com, where “yourdomain.com” is your actual domain or subdomain. It tells the email receiver what to do when an email message fails DMARC authentication, and also where to send reports on email authentication statistics.
A DMARC record consists of a list of DMARC tags. Each tag is a pair of key/value separated by =. The table below shows what each tag possibly found in a DMARC record means:
- v: DMARC protocol version. The default is "DMARC1";
- p: Apply this policy to emails that fail the DMARC check. This policy can be set to 'none', 'quarantine', or 'reject'. 'none' is used to collect DMARC reports and gain insight into the current emailflows and their status;
- rua: A list of URIs for email service providers to send aggregate reports to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form 'mailto:test@example.com';
- ruf: A list of URIs for ISPs to send forensic reports to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form 'mailto:test@example.org';
- sp: This policy should be applied to email from a subdomain of this domain that fail the DMARC check. Using this tag domain owners can publish a 'wildcard' policy for all subdomains;
- fo: Forensic options. Allowed values: '0' to generate reports if both DKIM and SPF fail, '1' to generate reports if either DKIM or SPF fails to produce a DMARC pass result, 'd' to generate report if DKIM has failed or 's' if SPF failed;
- rf: The reporting format for forensic reports;
- pct: The percentage tag instructs ISPs to only apply the DMARC policy to a percentage of failing email's. 'pct = 50' will tell receivers to only apply the 'p = ' policy 50% of the time against email's that fail the DMARC check. NOTE: this will not work for the 'none' policy, but only for 'quarantine' or 'reject' policies;
- adkim: Specifies the 'Alignment Mode' for DKIM signatures, this can be either 'r' (Relaxed) or 's' (Strict). In Relaxed mode, authenticated DKIM signing domains (d=) that share an Organizational Domain with an email's From domain will pass the DMARC check. In Strict mode an exact match is required;
- aspf: Specifies the 'Alignment Mode' for SPF, this can be either 'r' (Relaxed) or 's' (Strict). In Relaxed mode, authenticated SPF domains that share an Organizational Domain with an email's From domain will pass the DMARC check. In Strict mode an exact match is required;
- ri: The reporting interval for how often you'd like to receive aggregate XML reports. This is a preference and ISPs could (and most likely will) send the report on different intervals (normally this will be daily).
DMARC record VS DMARC policy
A DMARC policy is an important part of a DMARC record: it's the value of the p= tag in the record. It specifies how an ESP (Email Service Provider) like Gmail should handle an incoming email message if it fails DMARC authentication. There are 3 options: none (monitor), quarantine, and reject, with each one representing a different level of protection against spoofing.
DMARC record examples
Here are a few DMARC record examples:
- v=DMARC1; p=none; rua=mailto:5b18acdef12f1@ag.dmarcly.com; this DMARC record sets DMARC policy to monitoring mode (p=none), which allows you to monitor email authentication status, without sending failed emails to spam or rejecting them; also, sends aggregate reports to 5b18acdef12f1@ag.dmarcly.com;
- v=DMARC1; p=quarantine; rua=mailto:5b18acdef12f1@ag.dmarcly.com; this DMARC record sets DMARC policy to quarantine mode (p=quarantine), which allows you to monitor email authentication status, and sends emails that fail DMARC authentication to spam; also, sends aggregate reports to 5b18acdef12f1@ag.dmarcly.com;
- v=DMARC1; p=reject; rua=mailto:5b18acdef12f1@ag.dmarcly.com; this DMARC record sets DMARC policy to reject mode (p=reject), which allows you to monitor email authentication status, and rejects emails that fail DMARC authentication; also, sends aggregate reports to 5b18acdef12f1@ag.dmarcly.com. This DMARC record offers complete email protection against spoofing.
How is a DMARC record used?
There are 2 aspects when a DMARC record is put to use: publishing and checking. The publishing part happens on the domain owner side, while the checking part happens on the ESP side.
At implementation time, the domain owner publishes a DMARC record to the DNS, with DMARC tags appropriately set up. Each time the ESP receives an email, it looks up the DNS for the DMARC record, if any, and enforces the policy per the DMARC authentication result.
Together, the domain owner and ESP work towards an ultimate reject DMARC policy, where any email that fails DMARC authentication is rejected.
How to generate a DMARC record?
There are 2 ways to generate a DMARC record: manually and using a DMARC record generator.
If you are generating a DMARC record manually, you can use any text editor to create the record. 3 tags are essential: v, p, and rua. The v tag must be DMARC1. Depending on the phase of your DMARC implementation, p can be none, quarantine, or reject. Finally you can specify the mailbox of your choice using rua.
Using a tool like FREE DMARC record generator, it's easier and less error-prone. Enter the settings like policy, aggregate email address, etc. and click the Generate DMARC Record button.
(This was sourced from DMARCLY.COM: https://www.dmarcly.com/blog/everything-about-a-dmarc-record )