Problem
What is a "DMARC" record?
Solution
A Domain-based Message Authentication, Reporting, and Conformance record, or DMARC Record, is used to publish in DNS a policy that details what happens if a email from that domain fails verification.
The Night Club Analogy
In the article "What is a SPF record" we looked at the example of a doorman at a night club. If your name isn't on the guest list you weren't allowed entry. Well DMARC follows on from that analogy because DMARC is the policy that tells the doorman what he should do if they refuse entry.
For example; if they refuse entry to the club, should they report back to the management team and explain why entry was refused? Was it because they weren't on the guest list (SPF)? or maybe because they didn't meet the strict dresscode (DKIM).
DMARC works in a similar fashion, because it tells the receiving email server that if its going to reject an email based on SPF and/or DKIM then you can request feedback reports to a published email address.
Example of how DMARC works
Below is an example of a DMARC record.
Craig owns the domain example.com. He already has published a SPF record detailing what email servers are allowed to send emails on behalf of his domain name. He now wants to add a DMARC policy to detail the domain can send emails, but no subdomain can, and also set up a feedback mailbox for forensic reports on messages that fail against the DMARC policy.
He adds the following TXT record to his DNS domain zone file_dmarc.example.com. TXT "v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc-rua@example.com; ruf=mailto:dmarc-ruf@example.com; aspf=s; fo=1;"
The breakdown of that record is as follows
| v=DMARC1 | This indicates the version of DMARC being used, which is currently version 1. |
| p=quarantine | This specifies the policy for handling messages that fail authentication checks. In this example, the policy is set to "quarantine", which means that any messages that fail SPF and/or DKIM checks will be isolated, typcially in the spam folder or spam quarantine. |
| sp=reject | This specifies the policy for handling messages that come from subdomains of the domain. In this example, the policy is set to "reject", which means that any messages that fail SPF and/or DKIM checks will be rejected by the receiving email server and not delivered to the recipient. |
| rua=mailto:dmarc-rua@example.com | This specifies an email address where the receiving email server should send aggregate DMARC reports. These reports provide information on how many messages passed and failed DMARC checks, along with other details. |
| ruf=mailto:dmarc-ruf@example.com | This specifies an email address where the receiving email server should send forensic DMARC reports. These reports contain detailed information about the specific message that failed DMARC checks, including message headers and other technical information. |
| aspf=s | This specifies the alignment mode for SPF. In this example, the mode is set to "Strict" |
| fo=1 | Forensic Reporting Options pertains to how forensic reports are created and presented to DMARC users. In this example, Generate a DMARC failure report if any underlying authentication mechanism (SPF or DKIM) produced something other than an aligned “pass” result. |
Minimal DMARC record
The minimum protection DMARC record that conforms to the RFC is:
_dmarc.example.com. TXT "v=DMARC1; p=none;"
This can be used as a first point for DMARC implementation, but DKIM and SPF alignment are strongly recommended to ensure deliverability.
