Domain-based Message Authentication, Reporting and Conformance (DMARC) is an Inbound email policy built on top of SPF and DKIM records, designed to detect and prevent fraudulent emails.
When you add a DMARC policy to your domain, you choose to inform the recipient that your emails are protected by SPF and/or DKIM records, and what to do if your DMARC policy fails alignment with those records.
Example of the DMARC sending process
- Sender adds a DMARC policy to their domain.
- An email is sent.
- The recipient checks if the email contains a DMARC policy.
- If so, the SPF/DKIM records mentioned in the sender's DMARC policy are validated.
- If the SPF/DKIM records pass validation, they must then pass something called 'alignment'.
- If 'alignment' is passed, the email is received.
If 'alignment' is not passed (even if SPF/DKIM checks are passed), then the message fails. This helps to ensure that fraudulent activity appearing to come from the domain is blocked.
What is alignment?
The DMARC policy checks the domain name listed in the message's From: field. It then compares that domain to other authenticated domain names listed in the email's header. If they are identical, your DMARC policy is aligned.
If not, you should contact your email host and ask for instructions on how to ensure your records are aligned.
Strict and relaxed alignment
The alignment in your policy can be set as strict or relaxed.
- Strict alignment — the domains must be identical
- Relaxed alignment — the top-level "Organizational Domain" must match
The 'Organizational Domain' is your domain name followed by its suffix. For example:
What if the message fails alignment?
The sender's DMARC policy contains information on how to handle emails that fail authentication. Two types of reports can be created:
- Aggregate reports — sent as XML format once a day, consisting of aggregate data of all DMARC failures
- Forensic reports (aka Failure reports) — generated immediately and consist of individual emails that failed
Analyzing the reports
You can use a tool like the following to analyze your reports.
Configuring a DMARC policy
- Configure an SPF and/or DKIM record on your domain.
- Send an email to yourself (or another address you own). Once received, view its headers. Verify domain alignment by identifying the domain listed as the sending address. It may be located in the following places:
- The Envelope From domain — From: email@example.com
- The Return-Path Return-Path — <firstname.lastname@example.org>
- The d=domain in the DKIM-Signature — DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=example.com;
Create two separate email addresses to receive DMARC daily aggregate and forensic reports. It’s recommended you create two email addresses since you may receive a large number of reports. For example:
- Create the TXT record.
- Navigate to the Manage Websites page.
- Click the Manage button to open the Manage Websites page, which allows you to adjust various settings for your site.
- If in Grid view, click the Manage button at the bottom of the website box.
- If in List view, click the Manage button at the far right of your domain name.
- Click the
- Click the Add Record button.
- Hover over the TXT Record section and click the link.
- Enter the following:
- Host: _dmarc
- TXT Value * — Below is a basic configuration that handles the majority of your DMARC needs. Just make sure to adjust the email addresses to the addresses you created above to receive incoming reports.
v=DMARC1; p=none; fo=1; rua=mailto:email@example.com;ruf=mailto:firstname.lastname@example.org;pct=100
- Click the Add Record button to save.
After clicking the Add Record button, the propagation for the new record begins. This can take up to 6 hours before the new record updates online.
Tags you can use in your DMARC record
There are 2 required tags, v and p.
The v tag
The v tag identifies the text record as a DMARC record. This must be the first tag and have a value of DMARC1.
The p tag
The p tag identifies the action the domain owner requests the recipient to take for failed messages. Options are:
|p=none||No action should be taken for emails that fail DMARC authentication.|
|p=quarantine||If an email fails DMARC authentication, it should be treated as suspicious. How this is handled is up to the recipient, for example, it may be placed in a SPAM folder.|
|p=reject||If an email fails DMARC authentication, the recipient should reject the email during the SMTP transaction.|
These indicate where reports are sent.
|rua=mailto:email@example.com||This address is where aggregate DMARC reports should be sent to.|
|ruf=mailto:firstname.lastname@example.org||Indicates where forensic DMARC reports should be sent to.|
fo controls when a failure report is created.
|0||Creates a report if all authentication steps fail. (Default)|
|1||Creates a report if any authentication steps fail.|
|d||Creates a DKIM failure report if the message had a signature that failed evaluation.|
|s||Creates an SPF failure report if the message failed SPF authentication.|
A setting of fo=1 is recommended as it provides the most amount of data about any failures.
The following tags use a default value if the tag isn't set:
|adkim||Sets a strict or relaxed DKIM identifier alignment. (The default is relaxed).|
|aspf||Sets a strict or relaxed SPF identifier alignment. (The default is relaxed).|
|rf||Format for failure reports. (The default is Authentication Failure Reporting Format, or 'AFRF').|
|ri||Sets the number of seconds between sending aggregate reports. (The default value is 86,400 seconds, or one day).|
|pct||Sets the percentage of messages DMARC is applied to. Setting this to 100 would apply to every email and is recommended.|
The sp tag is used to set a different reporting policy for a subdomain. For example, you could set the primary domain to use p=reject while setting all subdomains under this domain to use sp=quarantine.
|sp||Sets a reporting policy for the subdomain, different form the primary domain. For example:
v=DMARC1; p=none; sp=quarantine;fo=1; rua=mailto:email@example.com;ruf=mailto:firstname.lastname@example.org;pct=100<