What Is a DMARC Record? (+ DMARC Record Generator)

If your business sends more than 5000 emails daily, DMARC is no longer optional. 

Domain-based Message Authentication Reporting and Conformance, or DMARC dictates how receiving servers should handle emails from your domain that fail two other important email security standards – sender policy framework (SPF) and domain keys identified mail (DKIM).

Major email providers have mandated DMARC for all bulk email senders to prevent phishing and email spoofing.

Your question might be, “Well, how do I enable DMARC on my domain?” Simple — you add a DMARC record to your website’s domain name system (DNS) record manually or with specialized DMARC software.

Emails that fail to meet the checks mentioned in your DMARC record might be trying to impersonate your business, or they may come from unauthorized servers. It can damage your site’s reputation.

To avoice this, the DMARC record gives instructions about how email providers should handle failed messages – do nothing, send to spam, or reject and report.

The DMARC record also sends you a DMARC report about the failed messages to your email address. In this way, DMARC provides domain-level protection against phishing, spoofing, and business email compromise. This safeguards your site’s reputation and improves email deliverability.

Read on to learn how to create one for your domain. If you want a primer on the topic before jumping into DMARC record, read our beginner’s guide to DMARC.

DMARC record format

As mentioned earlier, a DMARC record is a line of plain text published in the DNS record. The syntax of a DMARC record comprises a host/name and tag-value pair separated by a semicolon:

1. Host/name defines the location of the record within your domain’s DNS settings. It typically follows the format:

_dmarc.yourdomain.com

  • The leading underscore (_) signifies it’s a special record type for DMARC.
  • yourdomain.com is replaced with your actual domain name.

For example, our host/name would be: _dmarc.g2.com

Often, you only need to add _dmarc in your DNS settings under the Host option. 

2. Tag-value pairs define your DMARC policy and tell receiving email servers how to handle messages that claim to come from your domain. Each pair consists of:

  • A tag, a single letter representing a specific function within the DMARC record. For example, tag p denotes the DMARC policy value, and tag v denotes the DMARC protocol version. 
  • The value, which defines the behavior associated with the tag. Depending on the tag, values can come in the form of text strings, numbers, or email addresses. For instance, you can assign three values to tag p: none, quarantine, or reject. 

DMARC record example

Let’s consider a domain called Skynet. Here’s a simple example of its DMARC record:

Host: _dmarc

TXT record: v=DMARC1; p=none; rua=mailto:dmarc-reports@skynet.com;

This record has three basic tag-value pairs. The tags are version v, policy p, and the aggregate report. The corresponding value is DMARC1, none, and mailto: dmarc-reports@skynet.com. This DMARC record defines the policy as: 

  • v=DMARC1: DMARC protocol version 1 is used. This is the default for any DMARC record. 
  • p=none: This sets the policy to “none,” meaning the mail servers that receive emails take no action on messages that fail authentication and send failure reports to the specified email address.
  • rua=mailto:dmarc-reports@skynet.com: DMARC aggregate reports will be sent to the email address “dmarc-reports@skynet.com”.

The two tags, version v and policy p are compulsory and must be listed first in any DMARC record. You can add other optional tags in any order. Major email providers like Yahoo! Mail, Gmail, and Microsoft Outlook generally recommend including the aggregate report or rua tag in the DMARC record.

  چگونه برای آخرالزمان داده ها آماده شویم

All DMARC record tags explained

Apart from version and policy tags, which are compulsory, there are nine other optional DMARC tags you should know about before creating your DMARC record. 

Tag Description
v

The v tag specifies the version of the DMARC protocol. It must be the first tag in the record. The value is always DMARC1.

p

The p tag defines the policy for handling emails that fail DMARC checks. Here are the possible values.

  • p=none (monitor only): No action is taken on failures, but reports are still sent to the email address mentioned in the rua tag. This is a good starting point for monitoring.
  • p=quarantine: Emails failing authentication are marked as spam and sent to the Junk or Spam folder, where the receiver can review it.
  • p=reject: Emails failing authentication are rejected outright, and the receiving server usually sends a bounce message to the sending server.

This tag is mandatory and should follow the version tag.

rua

The rua tag specifies the email address(es) to receive aggregate DMARC reports.

Aggregate DMARC reports list the failed messages and which authentication they failed. The email addresses follow the prefix “mailto:” and are separated by a comma.

Example: rua=mailto:dmarc-admin@skynet.com, mailto:dmarc-reports@skynet.com; This tag is optional but recommended by all major email providers for security.

ruf

ruf specifies the email address(es) to receive forensic DMARC reports. Forensic or DMARC failure reports include from and to address, subject line and message ID, time of message, and other details. The syntax is similar to the rua tag and is also optional. 

Example: ruf=mailto:dmarc-forensic-report@skynet.com
This tag is optional. Gmail doesn’t support the ruf tag. 

adkim

This tag specifies the DKIM alignment policy, defining how strictly the email information must match DKIM signatures. There are two possible values.

  • adkim=s for strict alignment: the domain in the email “From” header must exactly match the DKIM signature d=domainname. No subdomains are allowed.
  • adkim=r for relaxed alignment: any subdomain of the domain mentioned in the DKIM signature (d=domainname) is allowed. 

Example: If the DKIM signature is d=skynet.com and the “From” address is @mail.skynet.com, the strict alignment would not consider this a match, and the dkim check will fail. However, the same email ID passes the DKIM check if the DKIM alignment is relaxed. 

This tag is optional but recommended for strong email security

aspf

The aspf tag specifies the SPF alignment policy, defining how strictly the mail information must match the SPF signature. Like the adkim tag, it has two possible values.

  • aspf=s for strict alignment: the domain in the Mail From address must exactly match the domain in the email From: header for the SPF check to pass.
  • aspf=r for relaxed alignment: subdomains of the domain in Mail From address are allowed. This is the default option assigned for the tag.

The tag is also optional but recommended by email providers.

Example: If the Mail From address included in the SPF record is mail.skynet.com and the “From” address is @skynet.com, the strict alignment would not consider this a match, and the spf check would fail. However, the same email ID passes the SPF check if the SPF alignment is relaxed.

pct

This tag specifies the SPF alignment policy, defining This tag specifies the percentage of unauthenticated messages subjected to the DMARC policy. It can be any whole number from 1 to 100.

The default value is 100%, meaning all unauthenticated messages are subject to the DMARC policy.

sp

The sp tag specifies the policy for handling emails from subdomains. Like the policy tag, the sp has three possible values: none, quarantine, or reject.

This tag comes in handy if you have subdomains for which you want a different DMARC policy. If you don’t mention the specific policy for the subdomain with an sp tag, it inherits the DMARC policy of the parent domain itself.

fo

The failure reporting options, or fo, tag specifies options for generating failure reports. The tag can take one or more of the following values:

  • fo=0 generates a failure report if both SPF and DKIM alignments fail.
  • fo=1 generates a failure report if any one of the SPF or DKIM alignments fails.
  • fo=s generates a failure report for SPF check failure. 
  • fo=d generates a failure report for DKIM check failure.

You can combine multiple options to customize the failure reporting behavior with a colon in between the values.

Example: fo=0:d will generate reports for messages that failed both SPF and DKIM authentication together, as well as for any SPF-specific failures.

You can skip this tag if you don’t need it. 

ri

The report interval, or ri, tag specifies how often aggregate reports should be sent in seconds. Aggregate reports are generated every day so the default option is 86,400 seconds (one day).

The ri tag is optional.

rf This report format tag is optional; it specifies the format for the generated DMARC report. Currently, there’s only one accepted format – authentication failure reporting format (afrf). So, by default, the tag is written as rf=afrf.
  نحوه اضافه ، متن به GIF (آموزش)

Note that your DMARC reports come in XML format, and manually reading this data is cumbersome. Consider using DMARC software to automatically parse reports, generate data visualizations, and offer additional features to optimize DMARC management.

Top 5 DMARC software

These top 5 DMARC software make DMARC configuration easy.

*These are the top 5 DMARC software according to G2’s Summer 2024 Grid Report.

How to create a DMARC record

While the DMARC sounds technical, creating a DMARC record is relatively easy. We’ll create a DMARC record for skynet.com and add it to the DNS records. Replace “skynet.com” with your domain name when you do yours.

How to add a DMARC record

  1. Set up SPF and DKIM authentication.
  2. Set up a dedicated email box.
  3. (optional) Check to see if you already have DMARC for your domain using a DMARC checker.
  4. Define your DMARC policy.
  5. Copy the DMARC record below or generate one using a DMARC record generator.
  6. Log into your domain hosting account and find the DNS section.
  7. Add TXT record and save.
  8. Verify your published record using a DMARC checker.
  9. Monitor DMARC reports for the next seven days.
  10. Update to a strict DMARC policy if no issues arise.

Let’s detail each step of the process in three parts. 

1. Set up SPF and DKIM authentication for your domain

If you don’t set up SPF and DKIM before enabling DMARC, messages that come from your domain will probably have delivery issues. 

If you use a third-party service provider like an email marketing tool, sales and CRM platforms, and customer support solutions to send your emails, contact them to confirm that DKIM is set up correctly. The provider’s sender domain should match yours. Add to your domain’s SPF record the IP address of the servers your third-party provider uses to send messages. 

Tip: Allow 48 hours after adding SPF and DKIM records to your DNS before setting up DMARC to avoid any DNS propagation issues.

2. Set up a dedicated mailbox or group

Depending on how many emails your organization sends, the DMARC report emails might overwhelm your inbox. Create a dedicated email ID exclusively for DMARC reports. It can be a simple dmarc-report@yourdomain.com.

Tip: Set up a separate mailbox for receiving forensic reports if you opt for them.

3. Check if you have DMARC

This one is optional, but if you’re unsure whether your domain already has DMARC enabled, check it using an online DMARC checker tool. I used EasyDMARC’s DMARC lookup tool to check the domain skynet.com and got the error message. That means we definitely need to set up DMARC here.

DMARC lookup

Source: Screenshot from EasyDMARC

4. Define your DMARC policy

As mentioned earlier, you can generate a DMARC record manually or by using an online DMARC record generator. But for both options, you must be clear about your DMARC policy, alignment options, and email in order to get reports.

Major mail providers recommend starting with a relaxed DMARC policy so let’s choose p=none and apply it to all emails sent from our domain skynet.com. We won’t mention anything about SPF and DKIM alignment or subdomain policy at this point.

5. Generate a DMARC record

Copy the following DMARC record and replace the domain name.

Host: _dmarc

TXT record: v=DMARC1; p=none; rua=mailto:dmarc-report@skynet.com; pct=100%;

Alternatively, you can also use our free DMARC record generator here to create a record similar to the example above.

DMARC Record Generator

Your DMARC Record:


 

6. Log into your domain hosting account

To edit your DNS record and add the DMARC record, log into your website host. If you're unsure where the DNS record is, here are the common places to look based on your domain setup:

Log in to your registrar’s or the web host’s account and search for sections related to "DNS," "Domain Management," or "Advanced Settings". For example, in GoDaddy, you’ll find the DNS option next to your domain name under the “My Products” tab once you log in. 

  • CDN provider:
    • If you're using a CDN like Cloudflare or Akamai for your website, your DNS records might be managed within the CDN settings. Consult your CDN provider's documentation to locate your DNS management section.

7. Add TXT record and save

Once you find out where to add a DNS record, select “TXT” under record type and enter the details of your TXT record:

  • Record type: TXT
  • Host/Name: _dmarc
  • Value: v=DMARC1; p=none; rua=mailto:dmarc-report@skynet.com; pct=100%;

While not essential, you can set the Time To Live (TTL) value for your DMARC record. This determines how long other DNS servers have the record before refreshing it with your registrar. Leave the TTL setting on automatic; it is typically 4 hours. 

Save the changes and wait for the DNS propagation, which can take up to 48 hours. 

For instance, here’s how you publish DMARC records in BlueHost

  • Once you log in to your BlueHost account, go to Domains and click on the DNS tab.

How to add DMARC record in BlueHost

Source: Screenshot from BlueHost

  • Scroll down to TXT and click on Add Record.

How to add DMARC record in BlueHost

Source: Screenshot from BlueHost

  • Add the Host Record, TXT Value of your DMARC record and set the Time To Live to default option, which is four hours here. 

How to add DMARC record in BlueHost

Source: Screenshot from BlueHost

GoDaddy also has a similar process. Log in to your GoDaddy account and go to Domain Portfolio. Under Domain Name, select your domain, and then select DNS. Choose Add New Record and enter the DMARC record details. Click Save.

The DMARC setup steps match other domain registrars or hosts and CDNs, including:

  • Cloudflare
  • SiteGround 
  • NameCheap

Important: The steps outlined are generalities. If you’re unclear about anything, please refer to the documentation of your web host, domain registrar, or CDN provider for specific instructions.

8. Verify your record

Use any one of the DMARC checkers mentioned above to verify that you have published the record correctly. In a few days, you’ll start getting DMARC reports in your dedicated mailbox.

Reviewing the DMARC reports gives insights into: 

  • The servers that send mail for your domain
  • The percentage of messages from your domain fail DMARC
  • The servers or services that send failed messages.

9. Monitor and move to a strict DMARC policy

Monitor your DMARC reports for seven days, and if your emails haven’t experienced any major issues, implement a strict policy of p=quarantine

Here’s a DMARC record for quarantine policy.

v=DMARC1; p=quarantine;rua=mailto:dmarc-report@skynet.com; pct=10;

For this case, the DMARC policy applies to 10% of your emails, and the messages that fail DMARC checks will be sent to the receiver’s spam folder. 

If you’re a large organization, set the percentage of emails to 5% and gradually increase it. Add the record and monitor the DMARC reports to find out how many emails are missing DMARC checks. When most of your emails pass the DMARC checks, enforce the p=reject policy. 

Here’s a DMARC record for a reject policy.

v=DMARC1; p=reject;rua=mailto:dmarc-report@skynet.com;

This applies to all emails in your domain. Any message that fails DMARC will be rejected outright and you’ll get aggregate reports about the failed emails.

Click to chat with G2s Monty-AI

Frequently asked questions (FAQ) on DMARC record

Q. How do you generate a DMARC record?

A. You generate a DMARC record manually or by using an online DMARC record generator. 

Q. How many DMARC records can I have?

A. You can only have one DMARC record for your domain.

Q. How long does DMARC take to propagate?

A.Your DMARC record can take anywhere from a few hours to 48 hours to spread across DNS servers. In most cases, it should be updated within 24 hours. 

Q. What happens if there is no DMARC record?

A.If there's no DMARC record for personal email users, there’s no issue. However, for bulk email senders, if your domain does not have a DMARC record, several issues can arise. Firstly, your domain becomes more vulnerable to email spoofing and phishing attacks because no policy exists to verify the authenticity of emails sent from your domain.

Additionally, the lack of DMARC can result in lower email deliverability rates, as email providers are more likely to flag your emails as spam or reject them altogether due to the absence of proper authentication measures.

Take control

By implementing DMARC, you significantly enhance your domain’s reputation and safeguard against email fraud. A phased approach allows for careful monitoring and adjustments, ensuring a smooth transition to a secure email environment. Remember, DMARC is not a one-time setup; regular review and updates are essential to maintain optimal protection.

Want to take one more step toward enhanced email security? Explore brand indicators for message identification (BIMI), the latest email authentication standard that all businesses are adopting.

منبع: https://learn.g2.com/dmarc-record