What is a DMARC Record?
October 11, 2023 | 3 min read
A DMARC record is a DNS TXT record that allows you to control how your email is handled if it fails DMARC authentication. DMARC stands for Domain-based Message Authentication, Reporting & Conformance.
DMARC Record Syntax
A DMARC record has the following syntax:
_dmarc.example.com IN TXT v=DMARC1: p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; aspf=r; adkim=r; rf=afrf; ri=86400; sp=quarantine
The record above is read as follows:
| Version | Indicates the protocol version |
| Policy | Specifies the action you want mailbox providers to take with your email that fails authentication |
| Percentage | The percentage of email messages that are filtered is specified by the percentage tag. |
| rua: Report Email Address | Specifies where reporting organizations should submit their DMARC aggregate |
| ruf: Report Email Address | Designed for reporting URI(s) for message-specific forensic information. |
| Forensic Reporting Option | All additional information is included in the DMARC forensic reports. |
| adkim: ADKIM Tag | Allows you to choose DKIM’s alignment mode. Relaxed “r” or Strict “s” |
| aspf: ASPF Tag | SPF record authentication check. By analogy with adkim, it can be Relaxed “r”, or Strict “s”. The default is Relaxed “r”. |
| rf: Report Format | This tag specifies the forensic reporting format(s). |
| ri: Report Interval | DMARC feedback is provided for the given criteria and corresponds to the aggregate reporting interval. |
| sp: Sub-domain policy | Allows you to specify the DMARC policy for all subdomains report, quarantine, or reject emails that fail authentication checks. |
Creating a DMARC Record
To create a DMARC record, you will need to create a TXT record in DNS for your domain with the following syntax mentioned below:
_dmarc.example.com IN TXT “v=DMARC1; p=reject; rua=mailto:[email protected]”
Replace example.com with your domain name and [email protected] with the email address where you want to receive DMARC reports.
Once you have created your DMARC record, you can test it using our tool
You can also include the following optional tags in your DMARC record as mentioned below:
- sp=quarantine: if DMARC authentication fails, the email should be quarantined
- pct=10: 10% of emails that fail DMARC authentication should be rejected/quarantined
- fo=1: generate DMARC reports even if the email passes SPF and/or DKIM authentication
How to read DMARC Records
To read DMARC records, you need to use a tool that can query DNS records. For example, you can use the “dig” command-line tool on Linux or the “nslookup” command-line tool on Windows.
To query DMARC records using the “dig” tool, you need to use the following command:
dig txt _dmarc.example.com
To query DMARC records using the “nslookup” tool, you need to use the following command:
nslookup -type =TXT _dmarc.example.com
Once you have queried the DNS records, you will be able to see the DMARC records for the domain.
DMARC policy versus DMARC record
DMARC policy is configured in DNS and is authorized to send emails on behalf of your domain, while a DMARC record defines what to do with messages that fail DMARC evaluation and is configured in a message header.
How is a DMARC record used?
The DMARC record lives in DNS and is used to indicate that DMARC is configured for a domain. When a message arrives, the recipient will look up the DMARC record to see if the sender has indicated that they are using DMARC.
What happens when DMARC fails?
If DMARC fails on a message, it means that the message did not pass DMARC authentication. The message may be rejected, quarantined, or delivered to the inbox, depending on the DMARC policy that is configured.
How do I set up DMARC?
DMARC can be configured using DNS. You will need to add a DMARC record to your DNS zone file. The DMARC record will tell receivers what to do with messages that fail DMARC authentication.
After a few days, you should start receiving DMARC aggregate reports.
Create a Skysnag account to generate your DMARC record and achieve a p=reject policy.
Conclusion
Skysnag automates DMARC, SPF, and DKIM for you, saving you the trouble and time required for manual configuration. Unlock insights, bypass email authentication configuration issues including SPF and DKIM; and protect your domain from spoofing with strict DMARC enforcement, all autonomously with Skysnag. Begin your DMARC journey with Skysnag by signing up for a free trial to increase email deliverability.
You might be interested in reading:
Check your domain's DMARC security compliance
Enforce DMARC, SPF and DKIM in days - not months
Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.