A DMARC record is a DNS TXT record that allows you to control how your email is handled if it fails DMARC authentication. DMARC stands for Domain-based Message Authentication, Reporting & Conformance.
Allows you to choose DKIM’s alignment mode. Relaxed “r” or Strict “s”
aspf: ASPF Tag
SPF record authentication check. By analogy with adkim, it can be Relaxed “r”, or Strict “s”. The default is Relaxed “r”.
rf: Report Format
This tag specifies the forensic reporting format(s).
ri: Report Interval
DMARC feedback is provided for the given criteria and corresponds to the aggregate reporting interval.
sp: Sub-domain policy
Allows you to specify the DMARC policy for all subdomains report, quarantine, or reject emails that fail authentication checks.
Creating a DMARC Record
To create a DMARC record, you will need to create a TXT record in DNS for your domain with the following syntax mentioned below:
_dmarc.example.com IN TXT “v=DMARC1; p=reject; rua=mailto:dmarc_reports@example.com”
Replace example.com with your domain name and dmarc_reports@example.com with the email address where you want to receive DMARC reports.
Once you have created your DMARC record, you can test it using our tool
You can also include the following optional tags in your DMARC record as mentioned below:
sp=quarantine: if DMARC authentication fails, the email should be quarantined
pct=10: 10% of emails that fail DMARC authentication should be rejected/quarantined
fo=1: generate DMARC reports even if the email passes SPF and/or DKIM authentication
How to read DMARC Records
To read DMARC records, you need to use a tool that can query DNS records. For example, you can use the “dig” command-line tool on Linux or the “nslookup” command-line tool on Windows.
To query DMARC records using the “dig” tool, you need to use the following command:
dig txt _dmarc.example.com
To query DMARC records using the “nslookup” tool, you need to use the following command:
nslookup -type =TXT _dmarc.example.com
Once you have queried the DNS records, you will be able to see the DMARC records for the domain.
DMARC policy versus DMARC record
DMARC policy is configured in DNS and is authorized to send emails on behalf of your domain, while a DMARC record defines what to do with messages that fail DMARC evaluation and is configured in a message header.
How is a DMARC record used?
The DMARC record lives in DNS and is used to indicate that DMARC is configured for a domain. When a message arrives, the recipient will look up the DMARC record to see if the sender has indicated that they are using DMARC.
What happens when DMARC fails?
If DMARC fails on a message, it means that the message did not pass DMARC authentication. The message may be rejected, quarantined, or delivered to the inbox, depending on the DMARC policy that is configured.
How do I set up DMARC?
DMARC can be configured using DNS. You will need to add a DMARC record to your DNS zone file. The DMARC record will tell receivers what to do with messages that fail DMARC authentication.
After a few days, you should start receiving DMARC aggregate reports.
Skysnag automates DMARC, SPF, and DKIM for you, saving you the trouble and time required for manual configuration. Unlock insights, bypass email authentication configuration issues including SPF and DKIM; and protect your domain from spoofing with strict DMARC enforcement, all autonomously with Skysnag. Begin your DMARC journey with Skysnag by signing up for a free trial to increase email deliverability.
Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.
