Knowing DMARC Records and Setting Them Up Correctly

DMARC Records: Complete Guide

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM to prevent email spoofing and phishing. This guide explains how DMARC works and how to configure it for your domain.

What is DMARC?

DMARC is a policy framework that tells receiving mail servers what to do with emails that fail SPF or DKIM authentication. It also provides reporting mechanisms so you can monitor email sent from your domain.

Why DMARC Matters

  • Prevents email spoofing: Stops phishers from impersonating your domain
  • Improves deliverability: Authenticated emails reach inboxes more reliably
  • Provides visibility: Reports show who’s sending email from your domain
  • Protects brand reputation: Prevents your domain from being used in scams
  • Required by major providers: Gmail and Yahoo require DMARC for bulk senders

How DMARC Works

  1. Email sent: Someone sends an email from user@yourdomain.com
  2. SPF/DKIM check: Receiving server verifies SPF and DKIM
  3. Alignment check: DMARC verifies domain alignment
  4. Policy application: Server applies your DMARC policy (none/quarantine/reject)
  5. Reporting: Server sends DMARC report to you

DMARC Alignment

DMARC requires either SPF or DKIM to pass AND align with the From: domain.

Alignment types:

  • Relaxed: Subdomains match (mail.example.com matches example.com)
  • Strict: Exact domain match required

DMARC Record Format

DMARC records are TXT records added to _dmarc.yourdomain.com:

_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

Required Tags

v=DMARC1

  • DMARC version
  • Must be first tag
  • Always set to DMARC1

p=policy

  • Policy for domain emails
  • Options: none, quarantine, reject

rua=mailto:address

  • Email address for aggregate reports
  • Daily XML reports of DMARC results
  • Can specify multiple addresses: rua=mailto:dmarc1@example.com,mailto:dmarc2@example.com

ruf=mailto:address

  • Email address for forensic reports
  • Real-time failure reports
  • Contains sample of failed messages

pct=percentage

  • Percentage of emails to apply policy to
  • Range: 0-100
  • Default: 100
  • Useful for gradual rollout: pct=25 (apply to 25% of emails)

sp=policy

  • Policy for subdomains
  • Options: none, quarantine, reject
  • If omitted, uses main policy

Optional Tags

adkim=alignment

  • DKIM alignment mode
  • Options: r (relaxed), s (strict)
  • Default: r

aspf=alignment

  • SPF alignment mode
  • Options: r (relaxed), s (strict)
  • Default: r

ri=interval

  • Report interval in seconds
  • Default: 86400 (24 hours)
  • Example: ri=3600 (hourly)

fo=options

  • Forensic report options
  • 0: Generate report if all fail (default)
  • 1: Generate report if any fail
  • d: Generate report if DKIM fails
  • s: Generate report if SPF fails

DMARC Policies

p=none (Monitor Mode)

What it does:

  • No action taken on failed emails
  • All emails delivered normally
  • Reports sent for monitoring

Use when:

  • First implementing DMARC
  • Testing configuration
  • Monitoring email sources

Example:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

p=quarantine (Mark as Spam)

What it does:

  • Failed emails marked as spam/junk
  • Delivered to spam folder
  • Not rejected outright

Use when:

  • Confident in SPF/DKIM setup
  • Want soft enforcement
  • Transitioning to stricter policy

Example:

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc-reports@yourdomain.com

p=reject (Block Delivery)

What it does:

  • Failed emails completely rejected
  • Never delivered to recipient
  • Strongest protection

Use when:

  • Fully confident in configuration
  • All legitimate senders configured
  • Maximum security needed

Example:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com

Setting Up DMARC

Step 1: Prerequisites

Before implementing DMARC:

  1. Set up SPF record

    v=spf1 include:_spf.google.com ~all

  2. Configure DKIM

    google._domainkey TXT "v=DKIM1; k=rsa; p=..."

  3. Test SPF and DKIM

    • Send test emails
    • Verify both pass authentication

Step 2: Create DMARC Record

Start with monitoring:

Host: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
TTL: 3600

Step 3: Add to DNS

Add the TXT record to your DNS provider:

Cloudflare example:

  1. Log in to Cloudflare
  2. Select your domain
  3. Go to DNS
  4. Click Add record
  5. Type: TXT
  6. Name: _dmarc
  7. Content: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  8. Click Save

Other DNS providers:

  • GoDaddy, Namecheap, Google Domains follow similar process
  • Some providers require full subdomain: _dmarc.yourdomain.com

Step 4: Wait for Propagation

DNS changes take time to propagate:

  • Usually: 15 minutes to 1 hour
  • Maximum: Up to 48 hours

Step 5: Verify DMARC Record

Command line:

nslookup -type=TXT _dmarc.yourdomain.com

Online tools:

DMARC Gradual Rollout

Don’t jump straight to p=reject. Follow this recommended progression:

Phase 1: Monitor (2-4 weeks)

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Goals:

  • Collect aggregate reports
  • Identify all email sources
  • Find authentication issues
  • Verify SPF/DKIM configuration

Phase 2: Quarantine Partial (2-4 weeks)

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

Goals:

  • Apply quarantine to 25% of emails
  • Monitor impact on delivery
  • Gradually increase pct: 25 → 50 → 75 → 100

Phase 3: Quarantine Full (2-4 weeks)

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com

Goals:

  • Apply quarantine to all emails
  • Monitor for false positives
  • Verify no legitimate email affected

Phase 4: Reject (Production)

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com

Goals:

  • Maximum protection
  • Block all unauthenticated email
  • Ongoing monitoring via reports

DMARC Reports

Aggregate Reports (RUA)

Format: XML files sent daily (or per ri setting)

Contains:

  • IP addresses sending from your domain
  • Number of emails passed/failed
  • SPF and DKIM results
  • Receiving organizations

Example report summary:

Source IP: 142.250.185.27
Messages: 1,250
SPF Pass: 1,248
DKIM Pass: 1,250
DMARC Pass: 1,248

Forensic Reports (RUF)

Format: Individual email samples

Contains:

  • Full email headers
  • Subject and timestamp
  • Authentication failure details

Note: Many providers don’t send forensic reports due to privacy concerns.

Analyzing Reports

Manual analysis:

  • Reports are XML files
  • Can be complex to parse
  • Time-consuming for high-volume domains

DMARC analysis services:

  • Postmark (free for low volume)
  • DMARC Analyzer
  • Dmarcian
  • Valimail
  • EasyDMARC

These services:

  • Parse XML reports automatically
  • Provide dashboards and visualizations
  • Alert on issues
  • Recommend configuration changes

Complete DMARC Examples

Basic DMARC (Monitoring)

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Intermediate DMARC

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; fo=1

Advanced DMARC (Strict)

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; adkim=s; aspf=s; pct=100; fo=1

DMARC with External Service

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com,mailto:randomstring@dmarc-service.com

Subdomain Policies

DMARC can have different policies for subdomains:

Same Policy for Subdomains

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

All subdomains inherit p=reject.

Different Subdomain Policy

v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc@yourdomain.com
  • Main domain: quarantine
  • Subdomains: reject

Specific Subdomain DMARC

Create separate record for subdomain:

Host: _dmarc.mail.yourdomain.com
Value: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Testing DMARC

Send Test Emails

  1. From legitimate source:

    • Should pass DMARC
    • Check email headers for dmarc=pass

  2. From unauthorized source:

    • Should fail based on policy
    • Monitor what happens (deliver/quarantine/reject)

Check Email Headers

Gmail:

  1. Open email
  2. Click three dots > Show original
  3. Look for DMARC result: 
    dmarc=pass action=none header.from=yourdomain.com

Online Testing Tools

  • Mail Tester: mail-tester.com
  • DMARC Analyzer: Test email and get instant DMARC analysis
  • MXToolbox: Comprehensive email authentication testing

Common Issues

DMARC Not Working

Causes:

  • SPF or DKIM not configured
  • DNS propagation delay
  • Syntax errors in DMARC record
  • Alignment failures

Solutions:

  • Verify SPF and DKIM are passing
  • Wait 24-48 hours for DNS propagation
  • Use DMARC validator to check syntax
  • Check alignment settings (relaxed vs strict)

Not Receiving Reports

Causes:

  • Email address in rua doesn’t exist
  • Reports blocked by spam filter
  • DNS record not propagated
  • No email sent from domain yet

Solutions:

  • Verify email address is valid and monitored
  • Check spam folder
  • Whitelist report sender addresses
  • Wait at least 24 hours for first reports

Legitimate Email Failing

Causes:

  • Forwarding breaks SPF
  • Third-party senders not configured
  • Mailing lists modify headers
  • Alignment issues

Solutions:

  • Add third-party IPs to SPF
  • Configure DKIM for all senders
  • Use p=quarantine instead of p=reject temporarily
  • Review DMARC reports to identify sources

Best Practices

  1. Start with p=none: Always begin in monitor mode
  2. Configure SPF and DKIM first: DMARC requires these
  3. Use reporting addresses: Monitor with rua and ruf
  4. Gradual rollout: Use pct to slowly increase policy coverage
  5. Analyze reports regularly: Review at least weekly initially
  6. Document email sources: Know all services sending from your domain
  7. Set subdomain policy: Use sp= to protect subdomains
  8. Consider strict alignment: Use adkim=s and aspf=s for maximum security
  9. Test thoroughly: Send test emails before enforcing strict policies
  10. Monitor ongoing: Even after full deployment, review reports monthly

DMARC and Email Forwarding

Email forwarding can break DMARC:

The problem:

  • Forwarded emails appear to come from original domain
  • But sent from forwarding server’s IP
  • Fails SPF alignment

Solutions:

  1. ARC (Authenticated Received Chain):

    • Preserves authentication across forwards
    • Supported by major email providers

  2. SRS (Sender Rewriting Scheme):

    • Rewrites From: address during forwarding
    • Maintains authentication chain

  3. Relaxed alignment:

    • Use aspf=r instead of aspf=s
    • Allows subdomain alignment

Conclusion

DMARC is the final pillar of email authentication, working with SPF and DKIM to protect your domain from spoofing and phishing. A properly configured DMARC policy:

  • Prevents unauthorized use of your domain
  • Improves email deliverability
  • Provides visibility into email sending
  • Protects your brand reputation

Start with p=none, analyze reports, fix issues, then gradually move to p=quarantine and eventually p=reject for maximum protection.

Quick Reference

Basic DMARC Record:

_dmarc TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

DMARC Policies:

  • p=none: Monitor only
  • p=quarantine: Mark as spam
  • p=reject: Block delivery

Recommended Progression:

Phase 1: p=none
Phase 2: p=quarantine; pct=25
Phase 3: p=quarantine; pct=100
Phase 4: p=reject

Check DMARC:

nslookup -type=TXT _dmarc.yourdomain.com