DMARC record setup guide

March 19, 2024

Have you ever received a suspicious email that seemed to come from your CEO, bank, or favorite online store? If so, you're not alone. The convenience of email brings risks along with it.

Email spoofing and phishing attacks are rampant, targeting individuals and businesses alike. Email authentication protocols like DMARC, SPF, and DKIM are essential tools to help manage these risks.

What is DMARC?

DMARC is a security tool that helps prevent email-based attacks, such as email spoofing and phishing. DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.

DMARC simplifies the email verification process by aligning SPF and DKIM protocols. It also provides a reporting mechanism that allows you to track your email performance.

It empowers domain owners and businesses, instructing email providers on how to handle messages from their domains.

How DMARC protects your domain from Spoofing and Phishing

DMARC relies on two other security protocols: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Both of these protocols are designed to prevent email spoofing.

  • SPF

    Verifies if the server sending the email is whitelisted.

  • DKIM

    Ensures that an email is authentic and hasn't been tampered with by adding a digital signature.

SPF and DKIM Authentication

When an email is received, the server checks the SPF record to confirm if the email originates from an approved IP address. Next, it verifies the DKIM signature to ensure the email wasn’t modified in transit.

DMARC Verification

After SPF and DKIM checks, DMARC takes over. It verifies that your email aligns with either SPF and DKIM rules - known as "alignment". DMARC ensures the “From” address in the email header matches the domains in either SPF and DKIM checks. If the domains match, your email is considered DMARC-aligned.

DMARC Policy

If the email passes, it gets delivered. But if something doesn’t match up, your DMARC policy dictates the next step:

  • none

    Takes no action but reports the failure.

  • quarantine

    Sends the email to the recipient’s spam or junk folder.

  • reject

    Blocks the email completely, so it never reaches the inbox.

Reporting

One of DMARC's most valuable features is its reporting system. DMARC sends reports to the domain owner, detailing attempts to send emails from their domain. This insight helps ensure email legitimacy.

Why DMARC Matters

Without DMARC, suspicious emails might end up in your customers’ inboxes, potentially leading to confusion or data breaches.

DMARC is the final piece in the email security puzzle that includes SPF and DKIM. SPF verifies the sender’s IP address, DKIM secures the email’s integrity, and DMARC acts as the gatekeeper.

Based on your DMARC policy, it either lets the email through or stops it.

How to Check Your Domain for a DMARC Record

If you're wondering how to check if your domain has a DMARC record, you're in the right place. Finding DMARC records is simple. You can either do a DNS (Domain Name System) lookup or use tools designed for this purpose.

Steps to Locate DMARC Records via DNS Lookup

DMARC records are stored in your domain's DNS settings, which function like the internet’s phonebook. Here’s how to find them:

  1. Access your DNS Records

    Start by logging into your DNS management platform through your domain registrar or hosting provider.

  2. Locate TXT Records

    DMARC records are stored as TXT (text) records. Look for TXT records starting with _dmarc.

  3. Check the configuration

    Once you find the DMARC record, verify its configuration. Look for essential tags like v=DMARC1 (version), p= (policy), and rua=mailto: (reports destination). Missing any of these tags means DMARC isn't fully set up.

Basic DMARC Syntax

A DMARC record starts with a version tag and includes other tags defining your domain’s policy. Here’s a basic example: v=DMARC1; p=none; rua=mailto:your-domain.com@rua.dmarcdkim.io; ruf=mailto:your-domain.com@ruf.dmarcdkim.io; adkim=s; aspf=r; ri=3600; fo=0:1:d:s

  • v=DMARC1

    Specifies the DMARC version. Currently, DMARC1 is the only version.

  • p=none

    The policy tag, instructing servers to take no action if emails failing DMARC.

  • rua=mailto:

    Designates the email address to receive aggregate DMARC reports.

  • ruf=mailto:

    Specifies where to send forensic failure reports.

Common DMARC Policy Tags

Tag Description Example

v

DMARC protocol version (always DMARC1).

v=DMARC1

p

Policy for failed DMARC checks: none, quarantine, or reject.

p=reject

sp

Subdomain policy, specifying a separate rule for subdomains if needed.

sp=quarantine

rua

URI for daily aggregate reports.

rua=mailto:your-domain.com@rua.dmarcdkim.io

ruf

URI for detailed forensic failure reports.

ruf=mailto:your-domain.com@ruf.dmarcdkim.io

pct

Percentage of emails to apply the DMARC policy to (0-100%).

pct=100

adkim

DKIM alignment mode (r for relaxed, s for strict).

adkim=s

aspf

SPF alignment mode (r for relaxed, s for strict).

aspf=r

How to Check Existing DMARC Records

To verify if your domain has a DMARC record, use a DMARC check tool. This tool also helps you generate an effective DMARC policy and provides actionable reports and DMARC analytics.

Conclusion

If you receive malicious emails, there’s a high chance of personal data theft, financial fraud, or even identity theft. Implementing DMARC, SPF, and DKIM creates a safer digital environment for both your business and customers.

DMARC FAQs

Who needs DMARC?

DMARC is essential for any organization that sends emails from its domain. It protects your brand, customers, and reputation from email spoofing and phishing attacks.

Is DMARC better than SPF?

DMARC, SPF, and DKIM together provide comprehensive email security. SPF alone only checks if an email originates from an authorized server but doesn’t stop all spoofing attempts.

Does Gmail use DMARC?

Yes, Gmail supports and uses DMARC for sending and receiving emails, encouraging domain owners to implement DMARC, SPF, and DKIM to combat email spoofing.

Is DMARC free?

Yes, DMARC is free to implement! DMARC Analytics tools like DmarcDkim.com allow you to set up DMARC records at no extra cost. However, storage for extensive DMARC reports, advanced data analysis, and personalized consultation may come with additional fees.

October 17, 2024

Salesforce DMARC, DKIM and SPF Configuration - Domain Authentication Guide

If you are tired of emails going to the spam, this article is for you. It will guide you on how to setup Salesforce SPF, DKIM, and DMARC records for email domain authentication

Read more →
September 19, 2024

How to Setup Google Workspace SPF, DKIM, DMARC Records - Email Authentication Tutorial

If you are tired of emails going to customers' spam folders, this article is for you. The inbox providers like Google and Yahoo only approve emails that pass their authentication check. Therefore, it is important to comply with the security standards to be trusted by inbox providers. SPF, DKIM, and DMARC are commonly used authentication standards to verify your domain. You can find these records in the Google Workspace Gmail settings. Follow the steps below to configure and add the Google Workspace verification records to the DNS provider.

Read more →
August 30, 2024

Setup Microsoft 365 DMARC, DKIM, SPF for Domain Authentication

Email authentication is a set of standards that ensure your emails come from a legitimate source and are safe to open by the recipient. This method prevents your domain from being spoofed and scammed.

Read more →
July 14, 2024

Resend SPF, DKIM, DMARC Configuration - Step-by-Step Guide

SPF (Sender Policy Framework) helps prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send email on behalf of their domain.

Read more →
March 27, 2024

How to configure DMARC, DKIM and SPF DNS records in GetResponse?

DKIM and SPF records are of paramount importance when it comes to efficient email communication. These DNS records verify the sender's identity and email authenticity. DMARC adds further security to your webmail by setting additional rules for email communication.

Read more →
March 23, 2024

Configure SPF, DKIM, Return-path records in MailerSend

Friendly for users, hard on spammers - MailerSend has earned it's spot among top reliable email delivery platforms. Not only email delivery, MailerSend also provides domain authentication services. It generates DNS records that give your emails a unique signature, making it spam proof.

Read more →
March 23, 2024

Setup Email Sender Signatures in Postmark

Setting Sender Signature mean giving your email a unique identity that make it difficult for spammers to impersonate as you. Email platforms like Gmail, Yahoo, and outlook require sender verifications to ensure emails are coming from the legit domain owner and are safe for readers to open. There are many email delivery platforms that provide DNS records in order to protect your emails from spoofing and forgery. Postmark is one of them. Its interface is quite simple and its services are trustable. In this guide post, we'll walk you through the easy steps of webmail authentication process. So let's start!

Read more →
March 19, 2024

Adding DNS records for Mailchimp DMARC, DKIM and SPF

MailChimp, one of the trusted email delivery services, helps with email campaigns and authenticates your domain to minimize spoofing. Domain authentication is the number one strategy to avoid emails ending in the spam folder. 

Read more →
Domain Check

Check your domain for DMARC, DKIM, SPF and MX records. Get a free report.
Tags