Key Takeaways: What is a DMARC Record?
A DMARC record is a DNS TXT record that is added to your domain. It advises the mail server what it should do with emails that do not pass an email security test.
How it works: DMARC checks if an email passes the SPF and DKIM check. If both checks are passed, the email is forwarded to your inbox. In case one of the checks fails, DMARC handles your email according to the DMARC policy (forward to inbox, mark as spam or reject). Additionally, DMARC sends an email report to the configured email address with detailed information about the email that failed the test.
The main advantages of DMARC are:
- DMARC increases the delivery rate of your emails (providers such as Gmail or Yahoo! automatically reject emails that do not pass DMARC).
- DMARC reports allow you to monitor the health of your email system, making it possible to quickly detect irregularities and identify fraudulent emails.
What is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. Basically, it’s an email security mechanism that relies on DKIM and SPF and manages how emails that do not pass SPF or DKIM should be treated.
DMARC can easily be added to your domain as a DNS TXT record. It basically has two purposes:
- DMARC tells the server what to do with emails that fail the authentication (reject the email, forward it to the inbox or put it in quarantine).
- DMARC sends reports to the configured email address about all messages send from the domain, helping you to monitor the security of your email system and to quickly become aware of irregularities.
When does the DMARC authentication fail?
The DMARC authentication fails if the email received by your mail server does not pass the SPF or DKIM check:
- Failed SPF check:
If the domain’s SPF record states that emails should be send from “mailjerry.com”, but in reality, it’s send from “mailboxconfig.com”, the SPF check fails. - Failed DKIM check:
If the email’s DKIM signature states that the email was send by “mailboxconfig.com”, but claims to be send from “mailjerry.com”, the DKIM mismatches and the check fails.
What are the advantages of DMARC?
Combined with SPF and DKIM (which are mandatory for a DMARC to work), adding a DMARC record to your domain provides the following advantages:
✅ A DMARC increases email delivery, therefore helps to ensure that your messages are received by the recipient.
✅ DMARC helps to prevent spoofing attacks and falling victim to fraudulent emails.
✅ DMARC reduces the amount of SPAM you receive.
✅ DMARC offers a reporting system that you can use to identify and take action against attacks targeted against your business / email system.
✅ DMARC prevents being blocked by major providers (e.g. Gmail, Yahoo, MS365), that do not allow messages from domains without valid DMARC records.
How does a DMARC record look like?
A DMARC record looks like this:
_dmarc v=DMARC2; p=quarantine; rua=mailto:dmarc@mailjerry.com; pct=100
As you can see, the DMARC consists of the host name (“_dmarc”) and tag-value pairs.
Tag-value pairs allow to configure the DMAC record to your liking. E.g., with the tag-value pair “rua=mailto:dmarc@mailjerry.com”, you tell the server to send DMARC reports to the stated email address.
Required DMARC properties:
The following tag-value-pairs are required for every DMARC record:
- v= : The DMARC version you’re using (e.g. DMARC2)
- p= : The DMARC policy (none, reject, or quarantine)
Common optional DMARC properties:
Very often, your DMARC record also contains the following properties:
- pct= : The percentage of emails that should be checked.
- rua= : The email address reports should be sent to.
- sp= : The subdomain policy (none, reject, or quarantine)
How to Set up DMARC:
Prerequisites:
Before you can set up a DMARC record, you need to add a DKIM and SPF record to your domain:
- Learn here how to set up an SPF record.
- How to set up a DKIM record.
Step 01: Get your DMARC settings
The exact settings of your DMARC record usually are provided by your email provider. Therefore, log into your email provider’s customer panel and look for a section called “email settings” (sometimes referred to as “email system” or “email delivery”).
➡️ There, you can find the DMARC record that should be added to your domain.
Step 02: Add the DMARC to your domain
1. Log into your domain’s admin panel. This is where you manage your DNS records.
2. Go to the DNS settings.
3. Add a new TXT record.
4. Add the following settings to the TXT record:
| Type: | TXT |
| Host: | the DMARC host name as stated by your email provider (e.g. _dmarc) |
| Value: | the DMARC properties (e.g. v=DMARC2; p=quarantine; rua=mailto:dmarc@mailjerry.com; pct=100) |
| TTL: | 300 (or lowest possible value) |
5. Save your new TXT record and wait a few minutes.
➡️ If you’d like to check if your DMARC works properly, simply enter your domain name in a DMARC check tool of your choice.
🎉 Congratulations! You successfully added a DMARC to your domain and enhanced the security of your email system!
How Does DMARC Work?
When a new email is received by your mail server, there are several security checks that are performed before the new email is shown in your inbox:
1. After receiving an email, the mail server extracts the domain the message was sent from.
2. Next, it looks ups the SPF and DKIM settings that are published under the given domain.
3. Now, the mail server performs an SPF and DKIM check.
4. If one of the two checks fail, the email is processed according to the DMARC policy, therefore the message is rejected and not delivered to your inbox (policy: “reject”), marked as spam (policy: “quarantine”) or forwarded to your inbox (policy: “none”).
DMARC Policies:
What happens to messages that do not pass the DMARC check?
When a new email fails the DKIM or SPF check, the email is processed as stated in the DMARC policy (tag-value pair “p=…”).
DMARC policy NONE:
If your DMARC contains the policy “p=none”, the (possibly fraudulent) email will be forwarded to your inbox. If configured in the DMARC record, DMARC will send an email report to the stated email address.
DMARC policy QUARANTINE:
With the policy “p=quarantine”, the mail server is advised to put the email in question into quarantine. Usually, this means that the email is marked as spam.
DMARC policy REJECT:
The DMARC policy “p=reject” tells your mail server to reject all unqualified emails. The sender of the email will receive an error message and the email is not delivered to your inbox.
FAQ:
Frequent Questions about DMARC
Why should I use a DMARC?
Emails that are send from a domain using a valid DMARC record are much more likely to be forwarded to the recipient. Therefore, the delivery rate of your emails is significantly enhanced by using DMARC.
Furthermore, with DMARC (combined with DKIM and SPF), the security of your email system is enhanced, making it harder for cyber criminals to use your domain and to pretend to be sending emails from your domain.
➡️ DMARC helps to protect the reputation of your business, as it will be much harder for anyone to pretend to be sending emails from your domain.
Can I use DMARC without DKIM and SPF?
No. DMARC relies on SPF and DKIM. Therefore, without both, a valid SPF and DKIM record, your DMARC record won’t work.
What’s the difference between SPF, DKIM and DMARC?
All three are DNS records that enhance the security of your email system:
- DKIM allows you to digitally sign an email before sending it, helping the recipient’s server to ensure that the message comes from the domain it claims to come from.
- SPF validates the sender’s domain based on the IP address the message was sent from.
- DMARC relies on DKIM and SPF. The protocol helps to process a newly received email and manages emails that do not pass the given criteria based on the DMARC settings (quarantine, reject or allow).
Should I configure multiple DMARC records for my domain?
No. In order for your DMARC record to work properly, it’s important to only add one DMARC per domain.
What happens with emails that failed DKIM or SPF without a DMARC record?
In this case, the recipient’s mail server decides on its own what to do with those emails.
