What is a DMARC Record?

September 23, 2022  |  3 min read

A DMARC record is a DNS TXT record that allows you to control how your email is handled if it fails DMARC authentication. DMARC stands for Domain-based Message Authentication, Reporting & Conformance.

DMARC Record Syntax

A DMARC record has the following syntax:

_dmarc.example.com IN TXT v=DMARC1: p=none; rua=mailto:customer@for.example.com; ruf=mailto:customer@for.example.com; fo=1; aspf=r; adkim=r; rf=afrf; ri=86400; sp=quarantine

The record above is read as follows:

VersionIndicates the protocol version
PolicySpecifies the action you want mailbox providers to take with your email that fails authentication
PercentageThe percentage of email messages that are filtered is specified by the percentage tag.
rua: Report Email AddressSpecifies where reporting organizations should submit their DMARC aggregate
ruf: Report Email AddressDesigned for reporting URI(s) for message-specific forensic information.
Forensic Reporting OptionAll additional information is included in the DMARC forensic reports.
adkim: ADKIM TagAllows you to choose DKIM’s alignment mode. Relaxed “r” or Strict “s”
aspf: ASPF TagSPF record authentication check. By analogy with adkim, it can be Relaxed “r”, or Strict “s”. The default is Relaxed “r”.
rf: Report FormatThis tag specifies the forensic reporting format(s).
ri: Report IntervalDMARC feedback is provided for the given criteria and corresponds to the aggregate reporting interval.
sp: Sub-domain policyAllows you to specify the DMARC policy for all subdomains report, quarantine, or reject emails that fail authentication checks.

Creating a DMARC Record

To create a DMARC record, you will need to create a TXT record in DNS for your domain with the following syntax mentioned below:

_dmarc.example.com IN TXT “v=DMARC1; p=reject; rua=mailto:dmarc_reports@example.com”

Replace example.com with your domain name and dmarc_reports@example.com with the email address where you want to receive DMARC reports.

Once you have created your DMARC record, you can test it using our tool

You can also include the following optional tags in your DMARC record as mentioned below:

  1. sp=quarantine: if DMARC authentication fails, the email should be quarantined
  2. pct=10: 10% of emails that fail DMARC authentication should be rejected/quarantined
  3. fo=1: generate DMARC reports even if the email passes SPF and/or DKIM authentication

How to read DMARC Records

To read DMARC records, you need to use a tool that can query DNS records. For example, you can use the “dig” command-line tool on Linux or the “nslookup” command-line tool on Windows.

To query DMARC records using the “dig” tool, you need to use the following command:

dig txt _dmarc.example.com

To query DMARC records using the “nslookup” tool, you need to use the following command:

nslookup -type =TXT _dmarc.example.com

Once you have queried the DNS records, you will be able to see the DMARC records for the domain.

DMARC policy versus DMARC record

DMARC policy is configured in DNS and is authorized to send emails on behalf of your domain, while a DMARC record defines what to do with messages that fail DMARC evaluation and is configured in a message header.

How is a DMARC record used?

The DMARC record lives in DNS and is used to indicate that DMARC is configured for a domain. When a message arrives, the recipient will look up the DMARC record to see if the sender has indicated that they are using DMARC.

What happens when DMARC fails?

If DMARC fails on a message, it means that the message did not pass DMARC authentication. The message may be rejected, quarantined, or delivered to the inbox, depending on the DMARC policy that is configured.

How do I set up DMARC?

DMARC can be configured using DNS. You will need to add a DMARC record to your DNS zone file. The DMARC record will tell receivers what to do with messages that fail DMARC authentication.

After a few days, you should start receiving DMARC aggregate reports. Use our free software to generate DMARC records and achieve a p=reject policy.

Conclusion

Skysnag automates DMARC, SPF, and DKIM for you, saving you the trouble and time required for manual configuration. Unlock insights, bypass email authentication configuration issues including SPF and DKIM; and protect your domain from spoofing with strict DMARC enforcement, all autonomously with Skysnag. Begin your DMARC journey with Skysnag, sign up using this link for a free trial and increase email deliverability.

Enforce DMARC, SPF and DKIM in days - not months

Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.

Enforce DMARC & Increase Email Deliverability

Skysnag makes the tedious work of email authentication and DMARC simple.

Start Free Trial