DMARC record

This post is also available in:

In addition to the basic DNS authentication records such as SPF and DKIM, the DMARC record has recently become increasingly popular. Below you will find all the information you need on how it can help you in your email marketing.

What it is used for

DMARC, which stands for “Domain-based Message Authentication, Reporting, and Conformance,” is a standard designed to protect email domains from phishing attacks and false impersonation. This standard allows domain owners to specify how emails that appear to originate from their domain should be authenticated.

DMARC works in conjunction with technologies such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). A DMARC record is a DNS record that contains the rules for email authentication and defines how emails that do not conform to these rules should be handled.

The DMARC record may contain several key pieces of information, including:

1. Policy: specifies what the recipient should do with an email that fails authentication (for example, reject it or deliver it automatically to the SPAM folder).

2. Reporting: Specifies how and where authentication reports should be sent. These reports can help domain owners keep track of who has tried to send email on behalf of their domain and how often.

Adding a DMARC record to a domain’s DNS settings is one step organizations can take to enhance the security of their email communications and prevent false impersonation.

How to set it up

Since this is a standard DNS record of type TXT, you simply enter it in your domain administration (typically in the hosting management interface). Below is an example of a generic DMARC record format:

_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:report@example.com; ruf=mailto:forensic@example.com"

Where:

• _dmarc.example.com. is the domain to which the DMARC record refers. It is important that this record is located in the DNS at the appropriate location for the domain.

• v=DMARC1 indicates the version of DMARC you are using.

• p=quarantine specifies the policy for emails that do not pass authentication. In this case, such emails are sent to quarantine. There are the following settings for p:

  • none – nothing happens, the email with failed authentication is delivered by default and is just logged in the reports. This basic policy is currently required by Gmail and Yahoo.
  • quarantine – the email is automatically placed in the Spam folder
  • reject – the email is not accepted by the server and therefore not delivered. This is the safest option in terms of protecting the sender’s reputation.

• rua=mailto:report@example.com tells where aggregated authentication reports should be sent. In this case, the reports are sent to report@example.com.

• ruf=mailto:forensic@example.com specifies where to send forensic reports (detailed logs) for individual emails that have failed authentication. The address forensic@example.com is a sample address for receiving forensic messages in this case.  

The complete DMARC log specification can be found in RFC 7489.

Common practice with DMARC deployment

Because the sender typically does not control all messages leaving the domain, it is recommended to start with a “none” policy. This will ensure that poorly authenticated mail will continue to be delivered, for example from corporate communications or transactional emails where the proper domain signature is sometimes forgotten. Thanks to the log reports, after a few weeks we will get a detailed overview of all outgoing mail that is not properly authenticated. Among them you can find both poorly secured corporate communications and possible misuse of your domain by third parties.

Once you have fixed all the cases found, the policy can be changed to the more stringent “quarantine” or straight “reject” mode.

Current situation

Google and Yahoo have decided to start requiring DMARC record setting at least with policy p=none for bulk newsletter senders in 2024. More information can be found in our blog article.

If you would like to have your logo displayed next to the sender’s email in Gmail, for example, this can be arranged using a so-called BIMI record. In order to process it, it is required, among other things, to have the DMARC policy set to p=quarantine or p=reject.

This post is also available in: