What Is a DMARC DNS Record?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance and is a DNS TXT record that can be published for a domain to control what happens if a message cannot be authenticated.

What is a DMARC entry and what purpose does it serve?

If a message cannot be authenticated, this is because the recipient server of your contacts cannot check whether the sender of the message is who they claim to be.

A published DMARC entry essentially serves two purposes:

  • Tells the recipient server to either: Quarantine the message, Reject the message, or Allow the message to continue delivery.
  • Sends reports to an email address or addresses with data about all the messages seen from the domain.

Once published, a DMARC record is used by the receiving email servers (e.g. Gmail or Yahoo) to determine what to do with a failed message. The receiving mail server looks at the DMARC entry and selects the policy to follow from the following options:

  • Do nothing with the message
  • Quarantine the message
  • Reject the message

However, this check and the associated decision can only be made if a DMARC entry has been published for your domain.

If no DMARC record has been published for your domain, the recipient server itself will make the decision as to whether the message should be delivered. In light of phishing, malware threats and a variety of other security concerns, the likelihood of the recipient's mail server instructing to quarantine or reject messages that do not pass DMARC has become the standard for sending legitimate emails.

 

A DMARC record is essentially made up of a specified Host/Name (i.e., the record name - for example: _dmarc.mxtoolbox.com is the Host/Name for MxToolbox) and tag-value pairs. Tag-value pairs are pretty much what they sound like. You have a tag (e.g., policy is represented by "p=") and a value, such as "none", which are paired to tell the receiving mail server what actions to take.

The following contains 3 tag-value pairs:

"v=DMARC1; p=none; rua=mailto:dmarc@dmarc.brevo.com"

  • The 3 tags are: v, p and rua.
    • "v"-Tag stands for Version (v). This tag is required and represents the protocol version, e. g. v=DMARC1.
    • "p"-Tag stands for Policy (p). The required p tag demonstrates the policy for domain (or requested handling policy). It directs the receiver to report, quarantine, or reject emails that fail authentication checks. Policy options are: 1) None 2) Quarantine or 3) Reject.
    • "rua"-Tag stands for RUA Report Email Address(es) (rua): This optional tag is designed for reporting URI(s) for aggregate data. An rua example is rua=mailto:CUSTOMER@for.example.com
  • The 3 values are: DMARC1, none, and mailto:dmarc@dmarc.brevo.com.

How do I authenticate a domain with a DMARC record?

To set up DMARC email authentication for your domain, you have 2 options:

  • Option 1. Set up a p=none DMARC record
    Add a non-impacting DMARC record on your domain, such as "v=DMARC1; p=none", along with a rua tag.
  • Option 2. Set up a p=quarantine or p=reject DMARC record
    Make sure you have properly authenticated your domain before setting up a p=quarantine or p=reject DMARC record. 
    Add a DMARC record with an enforcement policy on your domain, such as "v=DMARC1; p=reject" or "v=DMARC1; p=quarantine".

There are a total of 11 tags that can be applied to a DMARC policy. Of these 11 tags, the "v" and "p" tags are mandatory, and we also strongly recommend the "rua" tag to receive the reports.

 

Below is an example of the verification of the DMARC entry for sending emails via the standard provider Brevo:

DMARC record

Type: TXT
Name: _dmarc
Value: v=DMARC1; p=none; rua=mailto:rua@dmarc.brevo.com