DMARC, or Domain-based Message Authentication, Reporting & Conformance is used in conjunction with SPF and DKIM to help protect against email spoofing and phishing attacks. Spoofing happens when a scammer edits the From field of an email message to impersonate someone from within your domain. DMARC uses a policy that is given by your email provider. This policy tells the receiving email host how to treat emails sent from your domain based on the criteria that you set in the DMARC DNS record. Enabling a DMARC policy also gives insight into reports on what your domain is sending, and how receiving mail hosts are treating the email messages from your domain.
DMARC enforces SPF and DKIM. DMARC is useful only if a domain owner has already set up SPF and DKIM records. Before creating and getting ready to deploy DMARC, you must first create an SPF record, then create a DKIM record, and lastly create a DMARC record policy. The policy allows you to decide how to handle email that fails SPF or DKIM and is not DMARC compliant.
Example DMARC policies
These are some example policies and how they appear in the DNS TXT record.
DMARC Policy action | DMARC TXT record |
---|---|
No action taken on messages that fail the DMARC check. Email a daily report to dmarc@yourdomain.com. | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com |
Deliver 10% of the messages that fail the DMARC check in recipients' spam folders. Email a daily report to dmarc@yourdomain.com. |
v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com |
Reject 100% of messages that fail the DMARC check. Email a daily report to two addresses: postmaster@yourdomain.com and dmarc@yourdomain.com. Failed messages (email that fails DMARC ) result in an SMTP bounce back message to sender. |
v=DMARC1; p=reject; rua=mailto:postmaster@yourdomain.com, mailto:dmarc@yourdomain.com |
Add a TXT record to turn on DMARC
To turn on DMARC, update your domain settings with a DNS TXT record. It is advised that when introducing the policy enforcement should be set to none (p=none), so that whilst starting out there will be no adverse effects on email delivery for legitimate emails. This helps ensure everything is working properly and you don't accidentally send all your outbound email to the spam folder.
Add a TXT record to turn on DMARC
Follow these steps to add a DMARC TXT record for your domain:
- Login to the Client Area and click the domains tab.
- Find the domain name you wish to edit from the list and select Manage Domain from the drop-down.
- On the left overview menu, select DNS Management.
- Select txt as the record type and enter the DMARC policy you have chosen, replacing the example domain and values with your own.
DMARC TXT record values explained
This example DMARC record below is a good place to start with although there will be no actions taken other than the sending of the reports.
Host Name | Record Type | Address |
---|---|---|
_dmarc |
SPF (txt) | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com |
DMARC TXT record values explained
Tag Name | Required | Description and values |
---|---|---|
v |
Required | Protocol version. Must be DMARC1. |
p |
Required |
Defines how your domain handles suspicious messages:
|
pct |
Optional |
Sets the percent of suspicious messages that the DMARC policy applies to. Suspicious messages are messages that fail the DMARC check and are set to quarantine or reject the message based on the policy you set. Must be a whole number between 1 and 100. The default is 100. |
rua |
Optional |
Email address to receive DMARC reports for your domain. Use an email alias or create a new email address to receive sending email of these reports. The email address must include mailto:, for example: mailto:dmarc-reports@yourdomain.com To send the report to more than one email address, separate emails with a comma to have more email receivers, and use no more than 2 emails as some services have been reported to ignore more than 2 DMARC notifications. |
sp |
Optional |
The subdomain policy is applied to all subdomains of the domain. It uses the same format as the p value above.
|
adkim | Optional |
This value allows you to set strict (
|
aspf |
Optional |
This value has the same settings and impact as the DKIM value above, but is for SPF instead.
|