What is a DMARC record?
What is a DMARC Record?
Everything you need to know about a DMARC Record!
A DMARC record is at the heart of a DMARC implementation, and it defines the rulesets and policies, that the recipient domains can then adhere to.
A DMARC record is a DNS (Domain Name Service) entry and it is created as a TXT record, on the location “_dmarc.domain.com” where the domain.com gets replaced by your own domain name.
The primary purpose of a DMARC record is to define the policy that ISPs, ESPs like Gmail, Gsuite, Yahoo, AOL, Exchange servers, Google workspace, Microsoft 365 domains among others can then follow, on their treatment of emails that fail authentication.
To generate your DMARC record easily, please visit our DMARC record generator.
This will result in the tracking of all emails sent to the organization’s domain, taking into account the DMARC policy of your domain. Since the DMARC record is in your DNS, it makes them instantly accessible to any mail server on the Internet. As long as it has access to DNS, a system can retrieve the DMARC record for your domain and use it to determine whether an email is authentic or not.
This will allow organizations issuing DMARC records to indicate how violations should be handled. These messages can be monitored (and delivered), quarantined, or rejected.
STOP HACKERS FROM SENDING EMAILS USING YOUR DOMAIN!
What does a DMARC record look like?
The DMARC record is in the form of a line of plain text. The text consists of a list of DMARC tags and values separated by semicolons. Some tags are mandatory and some are optional. A DMARC policy instructs the receiving servers on what action to take on messages that fail the authentication. The action to be taken is defined by the policy (p) tag when you define your DMARC record. Refer to the following example of a DMARC policy record. The v and p tags must be listed first, other tags can be placed in any order.
v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org
Common Tags used in a DMARC record
The following table displays the common tags used in DMARC TXT records, along with their status, description, and values:
v: The Version (v) tag of DMARC provides DNS records as DMARC records for the receiving mail server and must exactly match the value of DMARC1. If the value of this tag is missing or not exactly DMARC1, then the record is not a DMARC record. In addition, this tag must be the first value in the list.
p: The required p-tag demonstrates the domain policy. It instructs the recipient to report, quarantine, or reject emails that fail authentication verification. The policy options are: None, Quarantine, or Reject.
pct: This tag specifies the percentage of unauthenticated messages that are subject to the DMARC policy. As you gradually implement DMARC, you can start with a small set of messages. As more messages from your domain pass the receiving server authentication, update your log with a higher percentage until it reaches 100%.
rua: RUA stand for ‘Reporting URL for Aggregate reports’. This tag is designed to receive reports about DMARC activity for your domain. An rua example is rua=mailto:email@example.com
ruf: Reporting URL for Forensic reports. This tag is used to specify the location to which you want to receive forensic reports or failure reports. An ruf example is ruf=mailto:firstname.lastname@example.org
sp: This tag defines the policy for subdomains. You can have a separate policy for subdomains, different from your primary domain.
aspf: The aspf tag represents alignment mode for SPF. It sets the alignment policy for SPF, which specifies how strictly message information must match SPF signatures.
adkim: Like aspf, the optional adkim tag is the alignment mode for the DKIM protocol.
How to create a DMARC record?
The DMARC record should be placed in the DNS of your domain. The TXT record name should be “_dmarc.yourdomain.com” where “yourdomain.com” is replaced with your actual domain name. Using a DMARC Generator, EmailAuth helps to easily generate the DMARC record of any domain. Users are allowed to use the DMARC generator to generate a sample DMARC record.
DKIM and SPF must be configured before deploying DMARC. DKIM and SPF should be validating email messages for at least 48 hours before DMARC is turned on. Once everything is in place, follow these steps to create a DMARC record:
Note: Perform these steps in the management console for your domain host.
Be ready with the text file or line that consists of your DMARC policy record.
Sign in to the management console for your domain host.
Find the page where you updated your DNS records.
Add your DNS TXT record, or update an existing record, by inserting your record in the TXT record for _dmarc.
4.1. In the first field, under the DNS Hostname, enter _dmarc.yourdomain.com. Note that some domain hosts automatically add the domain name after _dmarc. After you add the TXT record, verify the DMARC TXT record name for its correct formatting.
4.2. In the second field, enter the text for your DMARC record. For example:
Save your changes.
We have a whole list of easy to use DMARC configuration settings for ready access on various hosts, domain registrars, DNS providers like Godaddy, Name.com, Namecheap.com, Cloudflare and others. Click here for our DMARC set up Guides
How Does DMARC Help?
GLOBAL STATISTICS JUSTIFYING THE NEED FOR EMAIL AUTHENTICATION
DMARC has been adopted by the biggest email senders and email receivers globally. This includes Yahoo!, Google, and Microsoft, covering 85% of the consumer inboxes in the world.
The most important reason why DMARC should be used is that it gives an organisation full control on how their domain is being used. The organisation can also instruct the receivers on what actions should be taken if the incoming email is not legitimate and report the incident back to the organisation for further analysis.
It saves consumers from the trouble of identifying whether an email is legitimate or a spam. Sometimes it may happen that regardless of all the knowledge of email spoofing a receiver might fall into the trap. DMARC makes sure that this does not happen.