DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. Its goal is to prevent your email domain from being spoofed and used in cyber crimes like phishing or spamming. It relies on either Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM), in addition to the DMARC record in the DNS. DMARC is defined in the Internet Engineering Task Force’s published document RFC 7489, dated March 2015, as “Informational”.
What is a TXT record?
A TXT record is short for text record. This type of record can be used to store any human readable information regarding a server, network, data center and other accounting information. DMARC also uses this TXT record to store the email domain policy.
How does DMARC work?
As mentioned above, DMARC relies on the results of SPF or DKIM. So, make sure that either SPF or DKIM is configured. After that, configure the DMARC record using the TXT record.
Firstly, either SPF or DKIM is checked against the sender domain. If the domain passes the checking, then DMARC will check if the domain specified in SPF or DKIM matches the domain in the message From field. This is known as the DMARC alignment.
Configuring DMARC record in your DNS
In your DNS, create a TXT record for the sub-domain _dmarc.yourdomain.com. Remember to change yourdomain.com to your actual domain.
Next, paste the following into the TXT record:
v is the version
p is the policy
sp is the sub-domain policy
pct is the percentage of bad emails to apply the policy
rua is the email where you want to get DMARC reports.
Policy can be one of the following:
- none Basically, do nothing. Just send reports to the configured email address.
- quarantine Treats emails that failed DMARC check as suspicious; can flag the emails or move them to the spam folder.
- reject Rejects any emails that failed the DMARC check.
Do you need DMARC?
Definitely, yes! Firstly, DMARC checks the domain in the From field of the message which SPF does not. Besides that, DMARC has reporting functionality for possible abuse of your domain. Lastly, DMARC can specify what to do with emails that failed authentication. Everyone should ideally use SPF/DKIM along with DMARC for a more well-rounded protection.