Understanding DMARC in DNS

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is a DNS-based standard that helps prevent email spoofing and phishing. It allows domain owners to specify how email servers should handle messages that fail SPF and DKIM authentication checks.

What Is a DMARC Record?

A DMARC record is a DNS TXT record published under the subdomain _dmarc.example.com. It contains policy instructions and reporting options. For example:

DMARC Policy Options

The p tag in the record controls how failures are handled. There are three levels:

• none: No action, just monitoring
• quarantine: Deliver to spam or junk folder
• reject: Block the message entirely

How to Look Up a DMARC Record

To check a DMARC record, you can use the following tools:

DMARC Tags and Settings

• v: Always set to DMARC1
• p: Policy for your main domain
• sp: Policy for subdomains (optional)
• rua: Address for aggregate reports
• ruf: Address for forensic reports (optional)
• aspf and adkim: Set alignment mode to strict (s) or relaxed (r)

Why DMARC Matters

• Protects your brand from spoofing attacks
• Improves deliverability of legitimate emails
• Provides insights into who is sending on your behalf
• Works with SPF and DKIM to validate messages

Common Mistakes

• Publishing a DMARC record without valid SPF or DKIM
• Using incorrect syntax or missing semicolons
• Failing to monitor reports after publishing a policy
• Setting p=reject too early without testing

Example Full Record

This policy tells mail servers to reject unauthenticated mail for both the main domain and subdomains. It also enforces strict alignment and requests daily aggregate reports.

Summary

DMARC is a powerful tool for protecting your email identity. It prevents bad actors from impersonating your domain and gives you visibility into how your domain is used across the internet. Whether you're running a business or managing your personal domain, publishing and monitoring a DMARC record is a smart move for better email security.