Have no idea what is a DMARC record? Don’t worry! Today, we will cover everything about DMARC and how to set it up for your domain.
In simple terms, the DMARC record is a policy that provides instructions to SMTP (mailing) servers on how to handle emails that fail SPF and DKIM authentication.
Still confusing, right?
No worries! In this WordPress email domain authentication guide, we will explain what is a DMARC record? And how to set up DMARC for your domain in two easy steps.
What Is a DMARC Record? – A Brief Introduction
DMARC, which stands for Domain-based Message Authentication Reporting and Conformance, is a DNS TXT record that defines a domain’s policy for handling emails that fail SPF and DKIM authentication. A DMARC record allows you to specify whether the recipient is to quarantine, ignore (none), or even reject the malicious emails.
Setting up a DMARC record for your domain is extremely important as it enables email servers to identify legitimate emails and block fake ones. This prevents cyberattacks like email spoofing, phishing, and Business Email Compromise (BEC) (aka CEO fraud).
Therefore, we strongly recommend that you set up a DMARC record for your email domain in order to make your emails more secure.
NOTE: Most email service providers, such as Google, Amazon, Zoho, etc., check for DMARC records in their anti-spam measures. Without a DMARC record, they are likely to reject your emails.
Example of a DMARC Record
Generally, a DMARC record includes three key parts or tags.
An example of DMARC records is shown below:
`v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com`
In this record, there are three tag values: `v,` `p,` and `rua,` which have the following values:`DMARC1`, `quarantine,` and `mailto:dmarc@example.com.` respectively.
- v = Indicates DMARC version.
- p = It is the DMARC policy that specifies what to do when an email fails SPF and DKIM authentication
- rua = It’s an email address to receive DMARC reports. (Optional)
NOTE: At the moment, DMARC1 is the only supported version type for DMARC. The DMARC version tag (v) in a DNS record must be exactly DMARC1, or the receiving mail server will skip the entire verification process.
When defining your DMARC policy, you have three options, which are as follows:
- None: This DMARC policy, commonly known as the ‘monitor” policy, instructs the recipient’s email provider to do nothing when an email fails SPF and DKIM checks.
- Quarantine: It tells the recipient server to put suspicious emails in a spam folder instead of the primary inbox.
- Reject: The email server will block any email that fails SPF and DKIM authentication, which means the recipient will not receive the email.
You can also use additional optional tags such as ‘pct,’ ‘ruf,’ etc. But, to keep things simple, we recommend setting up a DMARC record using only `v,` `p,` and `rua.`
How to Set Up DMARC Record in 2 Easy Steps
Here are two easy steps that you can follow to set up a DMARC record for your domain.
Step #1: Check Your Domain for DMARC Record
To see if your domain has a DMARC record configured, use any DMARC lookup tool such as MXToolbox.
- Enter the domain name in the search bar and then click on the ‘DMARC Lookup.’ button.
- If DMARC is not set up, you’ll see the failure status as shown in the screenshot below (i.e., ‘No DMARC Record found’).
Now, let’s move on to the second step, where we will show you where and how to add a DMARC record for your domain.
Step #2: Update Your DNS Record to Add DMARC Policy
DNS records are basically the set of guidelines that tell your web server where to look for your website’s content, your email mailbox, etc. To update your DNS record (in this case, DMARC), log into your domain provider’s account.
If you don’t know where to find your DNS settings, try these options:
- Web Hosting cPanel (Control Panel): If you’ve bought your domain and web hosting together, you need to sign into your web hosting cPanel (control panel) to access the DNS or DNS Zone menu.
- DNS Registrar: Use the domain registrar account to edit the DNS zone from which you bought your domain if you purchased it separately.
- CDN (Content Delivery Network) provider: If you use a CDN (Content Delivery Network) service such as Cloudflare, then you can set up DNS records by logging into your CDN account.
For this example, we’ll walk you through the step-by-step process on how to configure a DMARC record in Cloudflare.
First, confirm that your domain does not already have a DMARC record. In DNS settings, you can only have one DMARC record at a time.
The following example of a DMARC record will cover all subdomains and email addresses connected to your account.
To set up a DMARC TXT record, follow these steps:
- On your registrar’s DNS record section, select ‘Add record.’
- Select ‘TXT’ from the Type drop-down menu.
- In the ‘Name’ box, enter `_dmarc.` Some hosts might remove the period ‘.’, so you can try without it if needed.
- In the Content field, paste the DMARC record in the following format with your own custom values:
v=DMARC1; p=none; fo=1; rua=mailto:me@example.com
Here’s a breakdown of the rule:
- `v=DMARC1`: Specifies the DMARC version.
- `p=none`: This setting provides the least restriction, so you will continue to receive reports without affecting your email delivery.
- `fo=1`: Generates forensic reports for every individual email if there’s a mismatch in DKIM or SPF alignment.
- `rua=mailto:me@example.com`: Change this to the email address provided by your service provider or use an address from your domain.
- The ‘TTL (Time to Live)’ specifies how long the record is cached. It’s safe to leave the TTL on Auto, typically set to 4 hours. If Auto is not available, you can choose 24 hours or 86400 seconds.
- Finally, save the new DMARC entry to your DNS records.
Now, Wait Until Your DMARC Record Gets Propagated
After making changes to your DNS, you need to wait up to 48 hours for the changes to take effect. If you’re using Cloudflare, the changes often take place within a few minutes.
Once the changes have propagated, go back to a web-based DMARC checker like MXToolbox. Use its DMARC tool to check again.
This time, you should see a green bar indicating that your DMARC rule is working correctly.
Final Remarks
That’s it! As we have answered the question, ‘What Is a DMARC Record? Now you know that setting up a DMARC record is the most crucial step in securing your email domain.
Adding a DMARC record for your email domain ensures that only legitimate emails reach your recipients, protecting them from phishing, spoofing, and other email-based attacks. This not only improves your domain’s security but also boosts your email deliverability and trustworthiness.
Don’t forget that DMARC is part of a larger email authentication framework that includes SPF and DKIM. Together, these protocols provide a robust defense against email fraud.
To learn more about email authentication protocols, check out our detailed guide about SPF, DKIM, and DMARC
Frequently Asked Questions
What Does DMARC Stand For?
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It’s an email authentication protocol that verifies whether an email message truly originates from the claimed sender based on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) mechanisms.
Who Can Use DMARC Records?
Any domain owner can use DMARC records to protect their domain from being used in email fraud and to improve their email security.
Do I Need a DMARC Record?
Yes, having a DMARC record is highly recommended. It helps protect your domain from email spoofing and phishing attacks to make sure that only legitimate emails are delivered.
Do I Need to Use a DMARC Record Generator?
No, you can manually create DMARC records by adding DNS TXT records to your domain. However, some tools simplify the process by generating DMARC records based on your preferences.
How Do I Read a DMARC Report?
DMARC reports provide detailed information about emails sent from your domain. They include data on authentication results, sources of emails, and any potential issues. You can analyze aggregate (summary) reports and forensic (detailed) reports to understand how your domain’s emails are handled by receivers.
What Happens If There Is No DMARC Record?
If there is no DMARC record, your domain is vulnerable to email spoofing and phishing attacks. Additionally, many email providers will probably mark your emails as spam or reject them.
Where is the DMARC Record stored?
The DMARC record is stored as a DNS TXT record in your domain’s DNS settings. It specifies your DMARC policy and reporting preferences.