DMARC record is a text entry within the DNS record that displays your email domain policy when checking if your SPF and/or DKIM has passed or failed.
DMARC (Domain-based Message Authentication Reporting & Conformance) is an open-source standard that uses a concept called alignment to tie the result of two other open-source standards:
- SPF (Sender Policy Framework) is an email validation protocol that helps protect email users from potential spammers.
- DKIM (DomainKeys Identified Mail) is an email validation protocol used to authenticate an email that’s being sent.
Adopting DMARC involves creating a DMARC record, publishing it, and using the generated information to gain insight and control over the way your domains are handling email. The DMARC record is essentially made up of a specified Host/Name (i.e. the record name _dmarc.mxtoolbox.com is the Host/Name for MxToolbox) and tag-value pairs. Tag-value pairs are pretty much what they sound like; you have a tag (.e.g., the policy is represented by "p=") and a value such as "none," which are paired to tell the receiving mail server what actions to take. You can see this by looking at the following example record, which contains three (3) tag-value pairs:
"v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
The three (3) tags are: v, p, & rua, and the three (3) values are DMARC1, none, and mailto: dmarc@yourdomain.com. The "v" tag is the version of DMARC, the "p" tag is the policy (meaning what actions to take if the message fails DMARC), and the "rua" tag is the email address where the DMARC aggregate reports are sent.
DMARC helps legitimize your email by doing two things:
- Sends reports to the owner about the email, including information about the SPF and/or DKIM alignment.
- Informs email receivers (like Gmail and Yahoo) how to handle messages that fail to align with those protocols.
To start generating and visualizing DMARC data, you have to set up a DMARC record for each domain you want to monitor. This is a common instruction for publishing a DMARC record:
- Log in to your DNS management console.
- Navigate to the domain where you’ll be publishing a DMARC record.
Note: Most DNS management consoles will ask for:
- Hostname: This should be “_dmarc”. Note: the leading “underbar” character is required.
- Resource type: This is a txt, as DMARC records are published in the DNS as txt resources.
- Value: This is the DMARC record itself, of the form v=dmarc1; p=none; rua=...
Note: These are the most commonly used DNS providers: Cloudflare, GoDaddy, DYN, DNS Made Easy, Wix, Name.com, etc.
After you’ve published the DMARC records, DMARC data will begin to generate within a day or two in the form of reports that give you insight on how your domains are handling email.
Note: If you don’t have a DMARC record, you will still get and manage the report, but the email authentication mechanism for your domain will be unavailable.