DMARC Records
Table of Contents
- What is a DMARC record?
- How DMARC works: building on SPF and DKIM
- Setting up, verifying, and monitoring DMARC
- Technical details
- Have more questions?
What is a DMARC record?
DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is a powerful email authentication, policy, and reporting protocol. It builds directly upon the foundational email authentication methods of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide an overarching framework for email security.
Its primary purpose is to help email receivers determine if an incoming message legitimately aligns with what is known about the sender’s domain. This capability is critical for combating email spoofing, phishing attacks, and spam, helping ensure only authorized messages reach inboxes.
How DMARC works: building on SPF and DKIM
DMARC acts as a crucial layer of enforcement and feedback that works with SPF and DKIM. For DMARC to function effectively, your domain must have correctly configured SPF and DKIM records.
Authentication and alignment
When a mail server receives an email, it first checks its SPF and/or DKIM status. DMARC then introduces the concept of alignment. It verifies that the “From” address (the one users see) in the email matches the domain that passed SPF authentication and/or the domain that signed the email with DKIM.
- SPF alignment: Checks if the visible “From” domain matches the domain used for the SPF check.
- DKIM alignment: Checks if the visible “From” domain matches the domain used for the DKIM signature. If either SPF or DKIM passes and aligns with the visible “From” address, the message passes DMARC authentication.
Policy enforcement
Based on the DMARC record published in your DNS, you can instruct receiving mail servers what to do with messages that fail DMARC authentication and alignment.
These policies include:
-
p=none
: Monitor only; take no action. -
p=quarantine
: Treat as suspicious; usually means placing in spam/junk folder. -
p=reject
: Do not accept the message; bounce it back to the sender. This allows domain owners to gradually ramp up their enforcement or maintain strict controls.
Reporting and feedback
DMARC provides a powerful feedback mechanism. You can specify email addresses in your DMARC record to receive aggregated reports (RUA) and/or forensic reports (RUF) about email traffic sent from your domain.
These reports provide invaluable insights into:
- Who is sending email claiming to be from your domain.
- Which emails are passing/failing SPF and DKIM.
- Where authentication failures are occurring. This data helps you identify legitimate email streams that might need DMARC configuration adjustments and detect unauthorized use of your domain.
Key benefits of DMARC
Stronger anti-phishing and anti-spoofing: Provides a robust defense against impersonation.
Enhanced deliverability: Builds trust with receiving mail servers, improving inbox placement.
Brand protection: Prevents malicious use of your domain, safeguarding your brand reputation.
Visibility and control: The reporting feature gives you actionable data to understand your email ecosystem and enforce your sending policies effectively.
A DMARC record is published as a TXT record at a specific subdomain, typically _dmarc.yourdomain.com
. The content of this TXT record contains all the DMARC policy tags and reporting addresses.
Setting up, verifying, and monitoring DMARC
For step-by-step instructions on how to add a DMARC record to your DNSimple zone, including guidance on the required _dmarc
subdomain and common policy tags, please refer to our dedicated How-To Guide: Setting Up DMARC (LINK NEW ARTICLE).
To verify that your DMARC record is correctly published and configured, consult our How-To Guide: Verifying DMARC with dig and Online Tools. This covers using command-line tools like dig
and online verification services.
Technical details
For more on the technical specifications and intricacies of the DMARC protocol, visit DMARC.org. They provide extensive resources, including links to the relevant RFCs.
Have more questions?
If you have additional questions or need any assistance with your DMARC records, just contact support, and we’ll be happy to help.