Problem
What is a "DMARC" record?
Solution
A Domain-based Message Authentication, Reporting, and Conformance record, or DMARC Record, is used to publish in DNS a policy that details what happens if a email from that domain fails verification.
Below is an example of a DMARC record.
Craig owns the domain example.com. He already has published a SPF record detailing what email servers are allowed to send emails on behalf of his domain name. He now wants to add a DMARC policy to detail the domain can send emails, but no subdomain can, and also set up a feedback mailbox for forensic reports on messages that fail against the DMARC policy.
He adds the following TXT record to his DNS domain zone file_dmarc.example.com. TXT "v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc-rua@example.com; ruf=mailto:dmarc-ruf@example.com; aspf=s; fo=1;"
The breakdown of that record is as follows
v=DMARC1 | This indicates the version of DMARC being used, which is currently version 1. |
p=quarantine | This specifies the policy for handling messages that fail authentication checks. In this example, the policy is set to "quarantine", which means that any messages that fail SPF and/or DKIM checks will be isolated, typcially in the spam folder or spam quarantine. |
sp=reject | This specifies the policy for handling messages that come from subdomains of the domain. In this example, the policy is set to "reject", which means that any messages that fail SPF and/or DKIM checks will be rejected by the receiving email server and not delivered to the recipient. |
rua=mailto:dmarc-rua@example.com | This specifies an email address where the receiving email server should send aggregate DMARC reports. These reports provide information on how many messages passed and failed DMARC checks, along with other details. |
ruf=mailto:dmarc-ruf@example.com | This specifies an email address where the receiving email server should send forensic DMARC reports. These reports contain detailed information about the specific message that failed DMARC checks, including message headers and other technical information. |
aspf=s | This specifies the alignment mode for SPF. In this example, the mode is set to "Strict" |
fo=1 | Forensic Reporting Options pertains to how forensic reports are created and presented to DMARC users. In this example, Generate a DMARC failure report if any underlying authentication mechanism (SPF or DKIM) produced something other than an aligned “pass” result. |