What is DMARC and how to configure it?

What is DMARC

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an email authentication, policy, and reporting protocol. It builds on the widely used SPF and DKIM protocols to improve and monitor the protection of a domain from fraudulent email, adding links to the FROM domains, published policies for recipient handling of authentication failures, and reporting from receivers to senders.

It also allows a domain owner to request notifications about emails that look like they’re sent from their domain, but they aren’t correctly authenticated.

Setting up a DMARC record

In the DMARC TXT record, the DMARC policy is defined. Configuring a DMARC policy sets the level of stringency for checking messages and what actions are recommended for a server receiving a message if authentication fails.

To set up basic DMARC functions, you need to add the appropriate record in your domain’s DNS server settings. Prepare a TXT record defining the basic text for the DMARC record and then add or update this file in your domain delivery DNS settings from which your email marketing campaigns are sent.

A DMARC policy can be set in one record. Here’s an example of the simplest record that can be used:

v=DMARC1; p=none;

The DMARC record name (host) should be _dmarc.yourdomain.com, where yourdomain.com needs to be replaced by actual domain URL.

Another example would be:

v=DMARC1; p=reject; rua=mailto:postmaster@example.com, mailto:dmarc@example.com; pct=100; adkim=s; aspf=s

Note: email addresses need to be changed to actual working emails you have access to. Tags used in this example might not be suited for everyone, please read their description below.

A DMARC record comprises mandatory and optional tags, defining policies for email authentication. A fundamental example of a DMARC record must include the following essential tags:

• v tag – informs about DMARC versions, it is always set as DMARC1
• p tag – contains information on what servers must do with messages that fail authentication, there are three policies to choose from:
  • p=none – monitors emails sent on your domain without altering the recipients’ email servers.
  • p=quarantine – redirects failing emails to junk or spam folders while still tracking sent emails.
  • p=reject – refuses failing emails, causing them to bounce and not reach any recipient folder, while also tracking sent emails.

Optional tags provide further customization:

• pct – describes the percentage of unauthenticated emails that should be subject to DMARC recording. The range is expressed from 0 to 100, where 0 means 0% of messages and 100 means 100%. The pct parameter is optional, but if you do not set it in the record, its default value will be 100, which will include all messages that are not authenticated.
• rua=mailto:address@domain.com – specifies an email address for reports from participating mailbox providers, aiding in identifying domain issues.
• adkim – specifies the DKIM identifier alignment
  • adkim=s – alignment will be strict, which means that the domain name must be exactly the same as the domain name entered in the DKIM mail headers.
  • adkim=r – alignment will be rough,where all valid subdomains used in the header will be accepted
• aspf – works similarly to adkim, however it relates to the SPF values.
  • aspf=s – from email address must be exactly match the domain name
  • aspf=r – any valid subdomain might be used in the message header

How to add a DMARC record in specific providers

You can check the official instructions made by other platforms (and some by us) on how to add DMARC records here:

123-Reg	Hover
Amazon Route 53 (AWS)	Hostgator
Arsys	Hostinger
Bluehost	Inmotion Hosting
Cloudflare	IONOS
Crazy Domains	IWantMyName
Domain.com	Name.com
Digital Ocean	Namecheap
DNSimple	NameSilo
DreamHost	Netlify
Dynadot	One.com
Enom	OVH
Gandi	Porkbun
GoDaddy	Register.com
Google Domains