Marketing : DMARC Records

Matthew Nestor

In this article, we will discuss DMARC records. Using a DMARC record helps protect your domain from spam and spoofing and improves email deliverability and trust. DMARC is used with SPF or DKIM.


Prior to getting started, you will need to have the following:

  • A custom domain with access to DNS settings.
  • SPF or DKIM set up for the domain.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) helps receiving mail systems decide what to do with messages from your domain that fail SPF or DKIM checks. It also validates the From Address and sends reports about DMARC results.

 

What is a DMARC record?

A DMARC record is a TXT-type DNS record that contains the policy to follow and determines where to send DMARC reports. Every DMARC record starts with the protocol version tag “v”. Tags are separated by a semicolon.

Here is an example of a DMARC record. We will discuss each tag in later sections:

"v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@mydomain.com;"

 

Which email headers are checked?

DMARC focuses on the domain found in the “From” or “Header from” header (RFC5322.From), which is visible to the end users in their email clients. In this article, we will refer to it as “From.”

 

How does it work?

Authentication

The receiving server will first check if either SPF or DKIM PASSED. Then it will check if the Return-Path domain used by SPF (if SPF passed), or the “d=” domain used by DKIM (if DKIM passed), aligns with the “From” domain. Finally, it will extract the DMARC policy published in the DNS record for the domain found in the “From” address and comply with the policy.

The overall logic is:

  • If SPF PASSED and ALIGNED with the “From” domain, then DMARC will PASS.
  • If DKIM PASSED and ALIGNED with the “From” domain, then DMARC will PASS.
  • If both SPF and DKIMFAILED, then DMARC will FAIL.

So DMARC not only requires that either SPF or DKIM PASS, but it also requires the domains used by either one (whichever one passed) to ALIGN with the domain found in the “From” address. Only then will DMARC Authentication PASS.

The alignment mode can be set for both SPF and DKIM separately. By default, a relaxed alignment mode is used, which allows subdomains to be used in the SPF and DKIM checks when comparing them to the “From” domain. Otherwise, strict alignment mode requires the domains to match exactly, or it will not PASS the DMARC Authentication check.

When setting the alignment mode, a value of “r” means relaxed mode, and a value of “s” means strict mode.

To set the SPF alignment mode, use the “aspf” tag:

“v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@mydomain.com;aspf=s;

To set the DKIM alignment mode, use the “adkim” tag:

 “v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@mydomain.com;adkim=s;

Reporting

Whenever an email is sent using your domain name and DMARC is checked, the result (pass or fail) is added to an aggregate report which is periodically sent to an email address specified in the record using the “rua” tag. The email address should belong to the same domain; otherwise, you must be able to configure additional DNS records on the email domain you specify.

You can also define the reporting interval between when reports should be sent by using the “ri” tag. By default, it will use 86,400 seconds, which equals 24 hours.

Example:

"v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@mydomain.com; ri=86400;"

In addition to the aggregate reports, forensic reports can be sent for failures by using the “ruf” tag. Forensic reports are basically a copy of the entire email message that can be used for forensic purposes. Not all ISPs send these reports as they could contain privacy-sensitive information. Just like the aggregate report email address, the email address you specify for forensic reports should be one that belongs to the same domain; otherwise, you must be able to configure additional DNS records on the email domain.

Example:

"v=DMARC1;p=reject;pct=100;ruf=mailto:postmaster@mydomain.com;"

Conformance (Policy)

DMARC policy tells the receiving server how to handle failed SPF or DKIM checks.

  • none” means that all emails will be sent, even if the checks fail (this is not recommended).
  • quarantine” means the receiving server is advised to send emails that failed the checks to the recipient’s spam folder.
  • reject” means that the receiving server should completely reject the email if it fails the checks, resulting in a bounce (this is the preferred option when everything is working correctly).

The policy can be set using the “p” tag:

"v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@mydomain.com;"

You may also specify what percentage of your email traffic you want to be verified with DMARC by using the “pct” tag. By default, this is 100%:

"v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@mydomain.com;"

Some people like to start with a policy of “quarantine” and a low “pct” percentage value (maybe 50 or less) while they test out their settings to make sure they are configured correctly. Once everything is verified to be working and passing correctly, it is recommended to switch to the “reject” policy and to remove the “pct” tag (which will use 100 by default).

 

Conclusion

Congratulations! You now have the information necessary to configure a DMARC record for your domain that suits your needs.


If you have any questions about this, please contact our Support Team by clicking the Support Icon in the bottom right-hand corner of this page.