Description


DMARC (Domain-based Message Authentication, Reporting & Conformance) defines how an incoming email should be handled depending on the results of the SPF check and the DKIM validation as well as other alignments of addresses and domains.


A DMARC validation checks if an incoming email corresponds to what the recipient knows about the sender. If the DNS zone of the sender's domain contains a DMARC record, the DMARC validation follows the SPF record check and the DKIM validation.

Requirements



The Process

Setting a DMARC Record: 
A DMARC record is required to perform DMARC validations (see DMARC Validation) on emails from a domain. You can set a DMARC record for your domain.

1. Create a TXT record with the following name in the DNS zone of your domain. Replace <domain.tld> with your domain.

_dmarc.<domain.tld>


2. Define the DMARC policy according to the following sample pattern in the TXT record. Replace <username@domain.tld> with an email address.

v=DMARC1;p=quarantine;pct=100;rua=mailto:<username@domain.tld>


Tags in DMARC Records: 

DMARC records are made up of tags. The tags of a DMARC record contain specifications for DMARC validations of emails sent from the domain to recipients outside the domain.

The following table provides an overview and explanation of the tags that can be used in DMARC entries. All tags but v and p are optional.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          

Tag

Explanation

Possible values

v

This tag determines which DMARC protocol version is used.

v=DMARC1                            
Notice:                             

The only possible value for this tag is v=DMARC1.

p

This tag determines how to handle an email from the domain in case its DMARC validation fails.

p=quarantine: The email is stored in quarantine.

                            

p=reject: The email is rejected.

                            

p=none: No measures are taken for the email.

                            
Notice:                             

We recommend the value p=quarantine.

pct

This tag determines the percentage of emails for which DMARC validations are performed. Possible values for this tag are numbers from 1 to 100.

pct=100                            
Notice:                             

We recommend the value pct=100 so that DMARC validations are performed on all emails from the domain.

rua

This tag determines the email address to which daily aggregate reports about failed DMARC validations are sent.

rua=mailto:<username@domain.com>                            

<username@domain.com> should be replaced with the email address to which the aggregate reports are to be sent.

ruf

This tag determines the email address to which forensic reports about single emails for which the DMARC validation has failed are sent.

ruf=mailto:<username@domain.com>                            

<username@domain.com> should be replaced with the email address to which the forensic reports should be sent.

sp

This tag determines how to handle an email from a subdomain of the domain if the DMARC validation for the email fails.

sp=quarantine: The email is stored in quarantine.

                            

sp=reject: The email is rejected.

                            

sp=none: No measures are taken for the email.

adkim

This tag determines the alignment mode for DKIM signatures. The alignment mode determines the degree of accuracy with which an email must match the DKIM signature in order to be accepted.

adkim=r: The alignment mode is relaxed. A partial match is enough.

                            

adkim=s: The alignment mode is strict. An exact match is required.

aspf

This tag determines the alignment mode for the domains in the header from and the envelope from of an email. The alignment mode determines the degree of accuracy with which both domains must match in order for the email to be accepted.

aspf=r: The alignment mode is relaxed. A partial match is enough.

                            

aspf=s The alignment mode is strict. An exact match is required.