DMARC – short for Domain-based Message Au­then­tic­a­tion Reporting and Con­form­ance – helps receivers dis­tin­guish fraud­u­lent emails from genuine ones. It’s es­pe­cially useful for domain owners because it keeps domains off black­lists and reduces the risk of messages being rejected or treated as spam.

What is DMARC?

DMARC stands for Domain-based Message Au­then­tic­a­tion, Reporting and Con­form­ance. It builds on existing au­then­tic­a­tion methods like SPF and DKIM by giving receiving mail servers clear in­struc­tions for handling messages that fail those checks.

How does DMARC work?

  • Domain owners publish a DMARC policy as a DNS TXT record.
  • Receiving servers evaluate incoming mail using SPF and/or DKIM.
  • If au­then­tic­a­tion fails, the receiving server enforces the policy defined in the DMARC record.
  • Reports can be sent to the domain owners to help them spot potential attacks and take action.
For the UK
Email hosting services
  • Per­son­al­ised email address
  • Access from anywhere
  • Highest security standards

Overview of DMARC policies

Policy Meaning Typical use
none The email is delivered normally, and only reporting takes place. Initial testing phase, for report analysis
quarantine Sus­pi­cious emails are moved to the spam folder or quar­ant­ine area. Suitable for reducing risk without com­pletely rejecting le­git­im­ate emails
reject Sus­pi­cious emails are rejected and not delivered at all. Intended final stage for domains once SPF and DKIM records are fully con­figured

How DMARC reporting works

An essential component of DMARC is its feedback system. This system informs domain owners about possible misuse or spoofing attempts:

  • Aggregate reports (rua): Daily summaries of all checked emails, typically provided in XML format. These reports provide in­form­a­tion on the volume, source and results of au­then­tic­a­tion checks.
  • Forensic Reports (ruf): Detailed in­di­vidu­al reports on failed checks that may contain specific header fields and content sections from the sus­pi­cious message.

Bear in mind that these reports can include sensitive data such as email addresses, sender details and technical in­form­a­tion. When setting up your reporting, make sure you comply with any reg­u­la­tions related to data pro­tec­tion that may apply.

Note

Receiving mail servers are not required to consider DMARC entries. If you don’t receive reports about failed DKIM or SPF checks, this does not ne­ces­sar­ily mean everything is in order.

What does a DMARC record contain?

A DMARC record is stored as a TXT record in a domain’s DNS. It contains several para­met­ers that together define how incoming messages are handled.

DMARC tags and their meaning

Field (tag) Meaning Typical values / options
v Version of the DMARC record DMARC1 (current version)
p Policy for the main domain none = mon­it­or­ing only, quarantine = sus­pi­cious mail goes to spam/quar­ant­ine, reject = rejects sus­pi­cious mail
sp Policy for sub­do­mains none, quarantine, reject
pct Per­cent­age of emails checked by DMARC Default: 100 (all emails). Can be set to 50, for example, to gradually introduce DMARC
rua Address(es) for aggregate reports Example: rua=mailto:dmarc-reports@yourdomain.co.uk
ruf Address(es) for forensic reports Example: ruf=mailto:dmarc-forensic@yourdomain.co.uk
fo Failure reporting options – when an error is reported fo=0 = only if both SPF and DKIM fail (default); fo=1 = if at least one check fails; fo=d = detailed DKIM errors; fo=s = detailed SPF errors
rf Format for forensic reports afrf (default, Au­then­tic­a­tion Failure Reporting Format), iodef
ri Reporting interval in seconds Default: 86400 (24 hours)
adkim Alignment mode for DKIM r = relaxed (sub­do­mains allowed), s = strict (exact match required)
aspf Alignment mode for SPF r = relaxed, s = strict

Example DMARC Record

_dmarc.example.co.uk. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.co.uk; ruf=mailto:dmarc-forensic@example.co.uk; pct=100; adkim=s; aspf=s"
txt
Secure email for digital privacy
  • Email pro­tec­tion on any device
  • SSL/TLS email en­cryp­tion
  • Firewalls and spam filters offer first class virus pro­tec­tion
  • Daily pro­tec­tion and backups

How to create a DMARC record

Before you can create a DMARC record, SPF and DKIM records must already exist for your domain. DMARC will only work properly once this found­a­tion is in place.

Step 1: Generate a DMARC record

Use an online tool, such as the DMARC Record Generator by EasyDMARC. Enter your domain along with the required para­met­ers, including the policy type and the addresses for DMARC reports.

Image: Screenshot of the DMARC Record Generator tool by EasyDMARC
DMARC Record Generator

Step 2: Create the TXT record in DNS

Next, log in to your domain provider account and open the DNS settings. Create a TXT record with the following values to configure the DMARC record for your domain:

  • Subdomain: _dmarc.yourdomain.co.uk
  • Type: TXT
  • Value: the DMARC record created by the generator

Example:

_dmarc.yourdomain.co.uk. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.co.uk"
txt

Step 3: Introduce the policy gradually

  1. Start with p=none
  • Mon­it­or­ing only. Emails are delivered normally.
  • Analyse the DMARC reports to check whether all le­git­im­ate servers are correctly au­then­tic­ated.
  1. Switch to p=quarantine
  • Sus­pi­cious emails are moved to spam or quar­ant­ine.
  • The risk of domain abuse decreases sig­ni­fic­antly.
  1. Finish with p=reject
  • Un­au­thentic­ated emails are blocked and not delivered.
  • This is the re­com­men­ded final stage for domains with fully es­tab­lished SPF and DKIM records.

It’s best to begin with the policy set to none and monitor the reports for a period to ensure results are as expected.

Step 4: Set up reporting address

Create a dedicated address, such as dmarc-reports@yourdomain.co.uk and use it ex­clus­ively for DMARC reports. This keeps main inboxes from being over­loaded with XML files. You can also add a second mailbox for forensic reports, such as dmarc-forensic@yourdomain.co.uk.

Keep the following points in mind:

  • Separate reports: Only use these mailboxes for DMARC data so they stay organised and are easy to monitor.
  • Allow external senders in DNS: To receive reports from external mail servers, your domain must ex­pli­citly permit this in the DNS. Without that au­thor­isa­tion, no reports will arrive even if your DMARC record is correct.
  • Respect data pro­tec­tion: DMARC reports include sensitive details such as IP and email addresses. Always handle them in line with your company’s data pro­tec­tion policies and, where ap­plic­able, the GDPR.

Step 5: Monitor results

Use dedicated tools to analyse incoming reports and identify misuse at an early stage. Services such as Google Post­mas­ter Tools or Microsoft SNDS (Smart Network Data Services) help you visualise how your domain is being used, or misused, and make it easier to fine-tune your DMARC policy.

Step 6: Verify your DMARC record

Depending on your name server, pub­lish­ing the record can take anywhere between a few minutes and several hours. To confirm that the entry is active and correctly con­figured, use a DMARC check tool, such as the DMARC Record Lookup Tool by EasyDMARC.

Image: Screenshot of the DMARC Record Lookup Tool from easydmarc.com
DMARC Record Lookup
Go to Main Menu