What is DMARC and how do I use it?

DMARC is a protocol used to detect fraudulent messages being sent from your domain name and prevent them being delivered to recipients inboxes.

What is DMARC?

  • DMARC, stands for "Domain-based Message Authentication, Reporting & Conformance"
  • Its purpose is to detect phishing, spoofed or fraudulent emails being sent from your domain and prevent them from being delivered.
  • It also provides the functionality for email providers to report back to you about messages that pass or fail your authentication policies.

What are the requirements to use DMARC?

  • You must be sending the emails from your own domain name(s).
  • Your envelope email address, header email address and DKIM signing domain name should be the same (‘aligned’).
  • You must have an SPF record setup on your domain name and it must be correctly configured for use with our network and all other possible sources of email for your domain name.
  • You must have DKIM signing setup and enabled for all your emails.

How do I use DMARC?

The core element of DMARC is your DMARC policy which has to be published in the DNS records of your domain name.

What is a DMARC policy?

Generally speaking, a DMARC policy is a set of instructions that tells inbound email providers how to handle the authentication of messages sent from your domain name and what to do if a message fails the authentication checks.

Technical speaking, a DMARC policy is a DNS TXT record published on the '_dmarc.your-domain-name.com' sub domain name and consists of a number of different elements.

A DMARC policy typically looks something like this:

"v=DMARC1; p=none; sp=quarantine; pct=100; rua=mailto:dmarcreports@your-domain-name.com"
ElementValueExplanation
v=DMARC1The version of the DMARC protocol to use.
p=noneThe policy to apply to messages that fail sender verification.

In this case, the policy is set to 'none' so the email provider will fall back to their own default policies based on the results of the SPF and DKIM check.
sp=quarantineThe policy to apply to messages sent from a sub domain name that fail sender verification.

In this case, the policy is set to 'quarantine' so messages sent from a sub domain name that fail sender verification must be quarantined (i.e. filtered to the spam folder).
pct=100The percentage of emails that fail sender verification on which to apply the policy.

In this case it is set to '100' so all emails that fail sender verification should have the declared policy applied to them.
rua=mailto:dmarcreports@your-domain-name.comThe email address to send aggregated reports to explaining how many messages failed or passed sender verification and why.
ElementRequired?ValueExplanation
v=YesDMARC1The version of the DMARC protocol to use, there are currently no other options.
p=YesThe policy to apply to messages that fail sender verification (SPF / DKIM)
noneThis indicates to the inbound email provider that they should just default to their own policies.

Normally used for testing or reporting only
quarantineThis indicates to the inbound email provider that they should quarantine any messages that fail sender verification (SPF / DKIM).

To 'quarantine', typically means to move the message to the spam / junk folder.
rejectThis indicates to the inbound email provider that they should outright reject any messages that fail sender verification (SPF / DKIM).

This will generally result in a non-delivery report being sent back to the sender.
sp=OptionalThis is the same as the 'p=' element but it is the policy to apply to messages sent from sub domain names.

For example - the 'p=' policy would apply to messages sent from 'test@your-domain-name.com', the 'sp=' policy would apply to messages sent from 'test@secure.your-domain-name.com'
noneThis indicates to the inbound email provider that they should just default to their own policies.

Normally used for testing or reporting only.
quarantineThis indicates to the inbound email provider that they should quarantine any messages that fail sender verification (SPF / DKIM).

To 'quarantine', typically means to move the message to the spam / junk folder.
rejectThis indicates to the inbound email provider that they should outright reject any messages that fail sender verification (SPF / DKIM).

This will generally result in a non-delivery report being sent back to the sender.
pct=OptionalInteger between 1 and 100This is a number between 0 and 100 and indicates to the inbound email provider what percentage of your messages (that fail sender verification) to apply your policies to.

Normally this would be set to 100 so that your policies are applied to all emails sent from your domain name.

If you are just starting with DMARC you can set this to a lower number to limit the damage of any misconfigurations with your SPF / DKIM records.
rua=mailto:OptionalAny valid email addressThis is the address that aggregated feedback reports are sent to showing stats of how many messages have passed and failed sender verification.
ruf=mailto:OptionalAny valid email addressThis is the address that specific message failure reports are sent to detailing why a message did not pass sender verification.

What DMARC policy should I use?

It is difficult for us to answer this question for you, it depends on how complex your email configuration is and how confident you are that your SPF and DKIM records are configured correctly.

If you confident that your SPF and DKIM records are configured correctly for all your mail sources we would recommend the following record which is strict and fully enforces your SPF / DKIM records but you will be notified of any failures:

"v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:dmarcreports@your-domain-name.com; ruf=dmarcreports@your-domain-name.com"

If you are unsure, we would recommend the following record which will not affect any of your email delivery (unless the providers default policies override), it will only report on failures:

"v=DMARC1; p=none; sp=none; pct=100; rua=mailto:dmarcreports@your-domain-name.com; ruf=dmarcreports@your-domain-name.com"

How do I setup my DMARC policy?

You will need to publish your DMARC policy as a TXT type record on the sub domain '_dmarc' in your domain names DNS records.

_dmarc.your-domain-name.com IN TXT "v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:dmarcreports@your-domain-name.com; ruf=dmarcreports@your-domain-name.com"

If you are unsure how edit your domain names DNS records, please contact your IT department or domain name provider.

How can I test my DMARC / SPF / DKIM configuration?

  • SPF
    • Our control panel will show your current SPF record and whether it is configured correctly for use with our network but it will not advise you on other potential issues or if it covers all of your email sources.
  • DKIM
    • DKIM is setup per outbound email provider, you can view and edit the DKIM configuration for messages sent via our network in the control panel.
    • It is not possible for us to advise you on the DKIM configuration for messages sent via other networks.
  • DMARC
    • You can test if the DNS record is setup correctly by using a DNS tool to lookup the 'TXT' records on '_dmarc.your-domain-name.com'.
    • If your DMARC record is configured correctly you should begin receiving aggregated DMARC reports within a couple of weeks hours.

Where can I get more information on DMARC?

We would recommend that you visit the official DMARC website or see the DMARC RFC 7489.