Everything about a DMARC Record

A DMARC record lies at the center of every DMARC implementation, bearing crucial importance for the ultimate success of the implementation. In this post, we are going to take a deep dive into DMARC records.

What is a DMARC record?

A DMARC record is a TXT record published in the DNS on your domain, under dmarc.yourdomain.com, where “yourdomain.com” is your actual domain or subdomain. It tells the email receiver what to do when an email message fails DMARC authentication, and also where to send reports on email delivery statistics.

A DMARC record consists of a list of DMARC tags. Each tag is a pair of key/value separated by =.The table below shows what each tag possibly found in a DMARC record means:

v: DMARC protocol version. The default is "DMARC1";
p: Apply this policy to emails that fail the DMARC check. This policy can be set to 'none', 'quarantine', or 'reject'. 'none' is used to collect the DMARC report and gain insight into the current emailflows and their status;
rua: A list of URIs for email service providers to send aggregate reports to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form 'mailto:test@example.com';
ruf: A list of URIs for ISPs to send forensic reports to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form 'mailto:test@example.org';
sp: This policy should be applied to email from a subdomain of this domain that fail the DMARC check. Using this tag domain owners can publish a 'wildcard' policy for all subdomains;
fo: Forensic options. Allowed values: '0' to generate reports if both DKIM and SPF fail, '1' to generate reports if either DKIM or SPF fails to produce a DMARC pass result, 'd' to generate report if DKIM has failed or 's' if SPF failed;
rf: The reporting format for forensic reports;
pct: The percentage tag instructs ISPs to only apply the DMARC policy to a percentage of failing email's. 'pct = 50' will tell receivers to only apply the 'p = ' policy 50% of the time against email's that fail the DMARC check. NOTE: this will not work for the 'none' policy, but only for 'quarantine' or 'reject' policies;
adkim: Specifies the 'Alignment Mode' for DKIM signatures, this can be either 'r' (Relaxed) or 's' (Strict). In Relaxed mode also authenticated DKIM signing domains (d=) that share a Organizational Domain with an emails From domain will pass the DMARC check. In Strict mode an exact match is required;
aspf: Specifies the 'Alignment Mode' for SPF, this can be either 'r' (Relaxed) or 's' (Strict). In Relaxed mode also authenticated SPF domains that share a Organizational Domain with an emails From domain will pass the DMARC check. In Strict mode an exact match is required;
ri: The reporting interval for how often you'd like to receive aggregate XML reports. This is a preference and ISPs could (and most likely will) send the report on different intervals (normally this will be daily).

DMARC record VS DMARC policy

A DMARC policy is an important part of a DMARC record: it's the value of the p= tag in the record. It specifies how an ESP (Email Service Provider) like Gmail should handle an incoming email message if it fails DMARC authentication. There are 3 options: none (monitor), quarantine, and reject, with each one representing a different level of protection against spoofing.

DMARC record examples

Here are a few DMARC record examples:

v=DMARC1; p=none; rua=mailto:5b18acdef12f1@ag.dmarcly.com; this DMARC record sets DMARC policy to monitoring mode (p=none), which allows you to monitor email delivery, without sending failed emails to spam or rejecting them; also, sends aggregate reports to 5b18acdef12f1@ag.dmarcly.com;
v=DMARC1; p=quarantine; rua=mailto:5b18acdef12f1@ag.dmarcly.com; this DMARC record sets DMARC policy to quarantine mode (p=quarantine), which allows you to monitor email delivery, and sends emails that fail DMARC authentication to spam; also, sends aggregate reports to 5b18acdef12f1@ag.dmarcly.com;
v=DMARC1; p=reject; rua=mailto:5b18acdef12f1@ag.dmarcly.com; this DMARC record sets DMARC policy to reject mode (p=reject), which allows you to monitor email delivery, and rejects emails that fail DMARC authentication; also, sends aggregate reports to 5b18acdef12f1@ag.dmarcly.com. This DMARC record offers complete email protection against spoofing.

How is a DMARC record used?

There are 2 aspects when a DMARC record is put to use: publishing and checking. The publishing part happens on the domain owner side, while the checking part happens on the ESP side.

At implementation time, the domain owner publishes a DMARC record to the DNS, with DMARC tags appropriately set up. Each time the ESP receives an email, it looks up the DNS for the DMARC record, if any, and enforces the policy per the DMARC authentication result.

Together, the domain owner and ESP work towards an ultimate reject DMARC policy, where any email that fails DMARC authentication is rejected.

How to generate a DMARC record?

There are 2 ways to generate a DMARC record: manually and using a DMARC record generator.

If you are generating a DMARC record manually, you can use any text editor to create the record. 3 tags are essential: v, p, and rua. The v tag must be DMARC1. Depending on the phase of your DMARC implementation, p can be none, quarantine, or reject. Finally you can specify the mailbox of your choice using rua.

Using a tool like DMARC record generator, it's easier and less error-prone. Enter the settings like policy, aggregate email address, etc. and click the Generate DMARC Record button, like this:

A DMARC record will be generated instantly. If you make changes to the settings, make sure to generate the DMARC record again, so that it can be updated.

How to publish a DMARC record?

After a DMARC record is generated, you need to publish it to the DNS, so that the ESP can pick the DMARC record up and enforce it.

To do so, log in to your DNS management console, choose the domain you need to publish the DMARC record on, e.g., mydomain.com.

Create a TXT entry on mydomain.com with these settings:

Type: TXT
Host: _dmarc
TXT Value: (DMARC record generated above)
TTL: 1 hour

For example, here is what it looks like in GoDaddy's DNS management console:

If you are using CloudFlare, here is what it looks like:

How to check a DMARC record?

After published, it takes up to 1 hour for the DMARC record to become accessible (usually much faster though). You can then use our DMARC checker to confirm that you have published the DMARC record successfully: DMARC Checker.

Use modern DMARC software to automate DMARC report analysis

A few days into the deployment, you should be receiving DMARC aggregate reports in your mailbox. At this point, it's time to parse and analyze the reports to check if your email flow is set up correctly or not. It's recommended that you use modern DMARC software like DMARCLY to automate the steps required for DMARC report analysis: setting up mailbox, downloading reports, parsing and rendering reports. Here is an example screenshot of rendered DMARC chart: