- HOME
- Security and Privacy
- What is a DMARC record?
What is a DMARC record?
- Published : March 25, 2024
- Last Updated : June 19, 2025
- 767 Views
- 7 Min Read
Email authentication mechanisms like SPF and DKIM, are in place to protect the emails you send. They ensure both the sender’s identity and the email's contents are guarded. But the job doesn't end with just implementing them.
The next step in truly protecting your emails is to define what happens if the authentication fails. For that, senders should have a reliable way to receive feedback on how the authentication policies are performing.
Imagine trying to manually co-ordinate this between the sender and the receiver. This would be messy and impractical in some cases. This is where DMARC comes in.
What is DMARC?
Domain-based Message Authentication Reporting and Conformance (DMARC) is a protocol that builds on top of SPF and DKIM. It does two main things:
- Tells the receiver what actions to take if the email fails the SPF and DKIM checks.
- Provides feedback about the authentication performance and any issues that need fixing.
DMARC is designed to protect against phishing and spoofing attack. It does this by ensuring that the FROM address matches the domain that has been SPF and DKIM- authenticated.This process is called domain alignment.
If the alignment fails, the receiving server will follow the instructions specified in the DMARC policy.
How does DMARC work?
To understand DMARC, you need to be familiar with three core concepts. They are:
- SPF
- DKIM
- Identifier alignment
SPF
SPF lists all of the allowed IPs, domains, and servers eligible to send emails on your behalf. It is similar to a guest list at an event. As a domain owner, you should publish the SPF record in your DNS.
When you send an email, the receiving server checks the return-path domain(obtained from the email's header) and verifies it with the published SPF record. If the domain values match, it is an SPF pass. If they don’t, it's a fail.
DKIM
While SPF authenticates the sender, DKIM ensures that the email's content hasn't been tampered with. It does this with the help of a digital signature. Here's how it works:
- The sender converts the email's contents into a hash value(DKIM signature). The signature is then encrypted using the sender's private key. This encrypted value is sent along with the email.
- The sender then publishes a public key in their domain's DNS .
- The receiving server obtains the public key from the domain mentioned in the "d=" tag of DKIM. Recreates the hash values using the data available in the DKIM signature, and encrypts it.
- Next, it decrypts the hash value sent along with the message.
- The receiver's encrypted value and the decrypted sender's value are compared. If they match, it’s a DKIM pass.
Identifier alignment
SPF and DKIM authenticate different parts of an email.
- SPF checks the return-path domain.
- DKIM verifies if the email content is intact. This is done by obtaining the public key from the domain mentioned in the signature.
The domains that SPF and DKIM validate are called authenticated identifiers. DMARC verifies if the authenticated identifier matches with the return path or the MAIL FROM domain. The match is determined based on two modes:
- Strict - Domains must match exactly.
- Relaxed - A Sub-domain match is also acceptable.
The identifier alignment is verified for both SPF and DKIM.
SPF identifier alignment
SPF alignment checks if the return-path domain matches with the domain in the FROM address.
DKIM alignment
DKIM alignment verifies if the domain in the "d=" tag and the MAIL FROM domain match.
SPF, DKIM and identifier alignment determine the DMARC policy's execution.
What does a DMARC record look like?
The DMARC policy is published as a TXT record in the DNS under the subdomain "_dmarc". For example, "_dmarc.example.com".
Here is an example DMARC record:
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@domain.com;
Let's break down the record:
V=DMARC1
This tag mentions the version of the record. This is a mandatory tag.
P=reject
The mandatory p tag mentions the policy for emails that fail authentication. There are three values that the p tag takes:
None: The email is accepted, but no action will be taken by the receiving server.
Quarantine: The email will be marked as suspicious. The email will still be accepted into the receiving server. But it will either be sent to the spam folder or a quarantine mailbox for the admin's perusal.
Reject: The email is rejected.
Pct=100 (optional)
Pct refers to the percentage of emails to be affected by the DMARC policy and can take a value between 0-100. This is done to ensure a gradual rollout of the DMARC policy. In the example given, pct is set to 100, which means that the DMARC policy is applied to all the emails.
Rua=mailto: dmarc-reports@domain.com\;
The ruais the address where the DMARC aggregate reports should be sent. These reports contain the authentication status of the domains. These are not real-time results and are sent daily. This tag is optional but is advised to have one to determine how well the authentication is implemented.
Email authentication flow in DMARC
Once the SPF, DKIM, and DMARC values are published by the sender, the check occurs in the following manner:
- The sender drafts an email and sends it.
- The DKIM module signs the email.
- The Mail Transfer Agent (MTA) delivers it to the recipient server.
- The receiving server validates SPF by checking the return-path and DKIM by checking the signature.
- The DMARC module checks the alignment of the identifiers and applies the policy.
- Depending on the policy, the email will either be accepted, quarantined, or rejected.
- The recipient server sends the report to the sender.
How to implement DMARC
Follow the steps to implement the policy.
- Setup SPF and DKIM for your domain.
- Choose an email address to receive the DMARC feedback reports. This will help identify the issues with your authentication methods and resolve them.
- Generate the DMARC record.
- Publish the record to your DNS.
Setup SPF and DKIM
SPF and DKIM alignment is necessary to implement DMARC. DMARC fails if SPF or DKIM fail, so it’s important to configure both.
For SPF: Check if the FROM address and return-path domains match.
For DKIM: Verify if the FROM address and the "d=" tag domains match
Choose an email address to receive emails
Choose a dedicated mailbox just for your reports. DMARC reports come in XML format and are sent daily. Online tools like Dmarcian can make the record more readable.
Generate DMARC
Use online tools like these to generate your DMARC record.
Publish the record to DNS
To publish the DMARC record, add the following values in your DNS provider's settings:
- Type: TXT
- Name: _dmarc.yourdomain.com
- Value: generated dmarc value. Ex: v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@domain.com;
DMARC rollout
As you start implementing DMARC, you can ease into it by rolling it out in phases. This gives you visibility on which servers are sending emails, whether they pass SPF checks, and where issues are creeping in. By gradually applying DMARC policy to your emails, you can adapt your emails to it without compromising on their deliverability.
DMARC rollout can be carried out using the p and pct tags .
- Start with p=none.
You will get feedback about your emails without rejecting them. This helps you monitor your emails without causing delivery issues.
Ex. v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com\ - Next, set p=quarantine with lower percentage, like pct=5.
Emails that fail DMARC will be quarantined.
v=DMARC1\; p=quarantine\; pct=5\; rua=mailto:dmarc-reports@domain.com\; Small organizations can choose to quarantine a larger portion of their emails. Large organizations can opt for a smaller number because they have multiple email channels. - Gradually increase the pct value.
- Finally, once you confirm that all the emails are authenticated, you can enforce a stricter policy. You can set p=reject for 100% of your emails.
Note: If you’re focused on improving your brand identity and adopting BIMI, you must adopt p=reject.
Additional DMARC tags
Here is a list of additional tags you can use in your DMARC record.
Tag | Description |
adkim | (Optional) Specifies the DKIM identifier alignment mode. It can take either of two values: r for relaxed s for strict Default: r |
aspf | (Optional) Specifies the SPF identifier alignment mode. It can take either of two values: r for relaxed s for strict Default: r |
ruf | Specifies the address to receive the failure/forensic reports. Failure reports are sent immediately after an email authentication failure occurs. |
f | Specifies the failure or forensic report options. This can be ignored if ruf is not mentioned. It can take four values:
0: If both SPF and DKIM fail to produce an alignment pass. 1:If either SPF or DKIM produces a result other than aligned pass. d: Generate a DKIM failure report if the email's DKIM signature fails validation, irrespective of its alignment. s: Generate an SPF failure report if the email fails SPF evaluation, irrespective of the alignment. |
sp | (optional)
Specifies the policy for all sub-domains. It takes the same value as the p tag. If sp is not mentioned, the value of p will be considered for the sub-domains. |
rf | (optional) Specifies the format to be used while generating reports for SPF and DKIM fails. The values mentioned in the format should match the ones defined here. Default: afrf |
ri | (optional) Specifies the time interval (in seconds) between aggregate reports that are sent daily. Default: 86400 |
DMARC and deliverability
DMARC not only protects your domains, but also improves your reputation. By preventing bad actors from phishing or spoofing your domain, you can reduce your chances of being flagged as a spammer. This improves your deliverability, ensuring more of your emails go to the inbox.
Moreover, DMARC's aggregate reports highlight the issues with your authentication giving you a chance to fix them.
Wrapping up
Email authentication has become a necessity to protect your emails against the constant spoofing and phishing threats. With SPF, DKIM and DMARC, you can navigate the seas of email delivery with ease. Start small, test, and adapt your authentication methods. The flexibility of DMARC's "none" policy means you don't have to risk deliverability. So, DMARC not only protects your emails, it protects your brand.