Overview

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that protects email domain owners against email spoofing and other unauthorized use of their domain.

When you configure a DMARC record, inbox providers can decide how to handle emails sent from your domain that fail SPF and DKIM checks. DMARC also includes a reporting feature for domain owners to track how often recipient servers worldwide receive emails from their domain and the percentage that are properly authenticated.

Why we need DMARC

• Consider DMARC not as a standalone authentication protocol but as a framework for managing SPF and DKIM failures and notifying domain owners about these failures.
  
  
• DMARC enables domain owners to specify the actions to be taken if SPF and DKIM checks fail. It's important to note that neither SPF nor DKIM provide this functionality on their own. Therefore, in the absence of DMARC, senders have limited control over the handling of failing messages, including whether they are bounced, routed to a spam folder, or managed in an alternative manner.
  
  
• Without DMARC, a sender does not receive feedback about SPF and DKIM failures. Thus, senders have little opportunity to address or even comprehend their domain's delivery patterns, often referred to as reputation monitoring.
  
  
• SPF and DKIM operate independently, and neither provides comprehensive protection against spoofing alone. DMARC tackles these issues by expanding on SPF and DKIM. SPF and DKIM handle the Domain-based Message Authentication part of DMARC.
  
  
• DMARC introduces the Reporting and Conformance element independently. Like SPF and DKIM, DMARC is implemented using a TXT DNS record. This record enables receiving email servers to retrieve failure processing instructions from domain owners.

Setting up DMARC

Adding a DMARC record enables inbox providers to verify how to handle emails from your domain that fail SPF and DKIM checks and provides reporting tools for authentication analysis.

Here is a minimum recommended policy with no reporting: 

v=DMARC1\; p=none\;

You can simply copy the above code and paste it into the corresponding fields in your DNS provider. 

The fields below should be filled out as indicated:

• Type: Select TXT.
• Name:

  _dmarc

• Value: Add the values based on your Policy Values. For example:  

v=DMARC1; p=none;

• TTL: Leave it as Default.

You can follow the steps given below to configure DMARC:

1. Have the text file or line that represents your policy record ready.
2. Sign in to the management console for your domain host.
3. Navigate to the page where you update DNS records.
4. Add a DNS TXT record, or modify an existing record by entering your record in the TXT record for  _dmarc:
   • TXT record name: In the first field, under the DNS Host name, enter: _dmarc.solarmora.com
     Note: Some domain hosts automatically add the domain name after _dmarc. After you add the TXT record, you can verify the DMARC TXT record name to make sure it's formatted correctly.
   • TXT record value: In the second field, enter the text for your DMARC record, for example:
     

     v=DMARC1; p=none; rua=mailto:dmarc-reports@solarmora.com
     

     The field names might be different for your provider. DNS TXT record field names can vary slightly from provider to provider. The domain used here is an example domain. Replace solarmora.com with your own domain.
5. Save your changes. 

Here is an example of how it is done in Godaddy:

DMARC Policy Values

To establish a DMARC policy, it is recommended to add a TXT record in your DNS provider settings with a value that includes the following semicolon-separated properties:

Policy Tag

DMARC policies dictate how receiving email servers handle SPF and DKIM failures. 

Report-Related Tags

Failure reports are directed based on rua= and ruf= settings.

Alignment Tag

Alignment decides how strictly DKIM and SPF values are judged to pass a check.

Subdomain Tag

To set different policies for subdomains, domain owners can utilize the "sp" tag.

Percentage Tag

The "pct" tag determines the percentage of emails subject to your DMARC policy.

Here are a few DMARC record examples:

• v=DMARC1; p=none; rua=mailto:dmarctest@sensehq.com; 

  • This DMARC record configures the policy to monitoring mode (p=none), enabling you to observe email authentication status without sending failed emails to spam or rejecting them.
  • Also, sends aggregate reports to dmarctest@sensehq.com;
    

• v=DMARC1; p=quarantine; rua=mailto:dmarctest@sensehq.com; 

  • This DMARC record configures the policy to quarantine mode (p=quarantine), enabling you to monitor email authentication status. It directs emails that fail DMARC authentication to the spam folder.
  • Also, sends aggregate reports to dmarctest@sensehq.com; 
    
    

• v=DMARC1; p=reject; rua=mailto:dmarctest@sensehq.com;

  • This DMARC record establishes the policy in reject mode (p=reject), enabling you to monitor email authentication status. It automatically rejects emails that fail DMARC authentication.
  • Also, sends aggregate reports to dmarctest@sensehq.com
  • This DMARC record offers complete email protection against spoofing.