Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a protocol that uses SPF and DKIM to determine the authenticity of an email message. DMARC makes it easier for Internet Service Providers (ISPs) to prevent spoofed emails from arriving in user inboxes. The goal of this article is to explain DMARC and to provide guidance on the syntax of a DMARC record.
DMARC works by adding policies to your domain’s DNS records. These policies specify how mail servers should handle messages from your domain that fail SPF or DKIM checks.
When a receiving server gets an email, it first checks the SPF record to see if the sender IP is authorized. Next, it verifies the DKIM signature. If either the SPF or DKIM check passes, the server then checks the alignment of the domain in the From: header against the domain in the SPF or DKIM check. If the domains are aligned, and at least one of the SPF or DKIM checks passed, the DMARC check will pass.
A DMARC record is a TXT record in DNS that might look like this:
v=DMARC1; p=reject; rua=mailto:[email protected]
DMARC Syntax guide
Version (v): This tag is required and indicates the version of DMARC. The current and only version at this time is “DMARC1”.Example:
Policy (p): This tag is also required and indicates the policy to apply to emails that fail the DMARC check. The options are
nonemeans no specific action is to be taken regarding delivery of messages.
quarantinemeans treat the mail as suspicious (e.g., it could be put into the spam folder).
rejectmeans the email should be rejected outright.Example:
Report URI Aggregate (rua): This tag is optional and provides an email address to which aggregate reports of DMARC failures should be sent. These reports provide an overview of the authentication status of all messages claiming to be from the sender’s domain. They are useful for understanding trends and attempting to identify possible issues.Example:
- Report URI Forensic (ruf): This is where detailed forensic reports should be sent. These reports are generated when individual messages fail DMARC.
Percentage (pct): This tag tells receivers what portion of mail that fails the DMARC check should have the DMARC policy applied. For example,
pct=20means apply the DMARC policy to only 20% of the email that fails the DMARC check.
Subdomain Policy (sp): This tag allows you to specify a different policy for subdomains. For example, you could have a
p=rejectpolicy for your main domain but
sp=nonefor your subdomains.
- Identifier Alignment (adkim, aspf): These tags allow you to set strict or relaxed identifier alignment to determine how closely the domains in the DKIM and SPF results must align with the domain in the header-from field.
If you have any questions or encounter issues, please don’t hesitate to reach out to [email protected].