Skip to main content

DMARC - what is it and how to implement it?

DMARC is one of the tools for securing email.

Weronika Kapias avatar
Written by Weronika Kapias
Updated over 2 weeks ago

What is DMARC?

DMARC (Domain-based Message Authentication Reporting and Conformance) works on the basis of the information contained in SPF and DKIM records. However, DMARC, unlike these, can specify to a server whether it should or should not accept a message.

An example of a DMARC record is shown below with an explanation of its various elements:

v=DMARC1;p=reject;rua=mailto:dmarc-reports@yourdomain.com;ruf=mailto:dmarc-forensic@yourdomain.com

Individual elements:

"v=DMARC1" is the identifier that the receiving server is looking for to run the DMARC test; it specifies the DMARC protocol version.

"p=..." tells the server what to do with emails that fail the DMARC test. There are three policies: none (no restriction), quarantine (place in spam) and reject (reject).

"rua=mailto:..." indicates to the server where to send aggregate DMARC failure reports.

"ruf=mailto:..." refers to detailed reports related to DMARC failures. The email address must be from the domain for which the DMARC record is published.

This example contains only a few elements (so-called tags), the most recommended ones, but it can be more complex depending on your needs. You can additionally also include the parameter "rf=...", which specifies the format of the failure report, or "pct=...", which conveys what percentage of messages that do not pass DMARC should be rejected.

You can find more tags and descriptions of their use here: https://mxtoolbox.com/dmarc/details/what-is-a-dmarc-record

According to the changes that will be introduced by Google and Yahoo from February 2024, every broadcast domain should have a DMARC with at least a p=none policy.

Such a record might look like the following:

Name: _dmarc.yourdomain.com

Type: TXT

Value: v=DMARC1; p=none

Recommended DMARC Configuration

We recommend using the following DMARC settings:

  • adkim = r - relaxed DKIM alignment
    This setting controls how strictly the DKIM signature is checked on emails sent from your domain. In relaxed mode (r), the match is less strict - for example, if a subdomain sends a message, it can still be considered valid. This reduces the risk of legitimate emails being rejected.

  • aspf = r - relaxed SPF alignment
    This setting controls how precisely the sender’s address is checked against the SPF record. In relaxed mode (r), the match doesn’t need to be exact - emails sent from subdomains can also pass verification. This helps avoid false rejections, especially if you use multiple services to send emails.

  • p = none - monitoring mode
    Setting p=none means that the DMARC policy does not block or flag emails. Recipient servers simply send reports on how your emails pass verification. This allows you to monitor email traffic and review your setup before switching to a stricter policy.

Too strict DMARC settings (e.g., p=quarantine or p=reject) can cause deliverability issues if not all sending sources are properly configured.

How does DMARC verification work?

Please note that in order for DMARC to work properly you must first configure the SPF and DKIM entries. Instructions can be found below:

The domain owner sets the rules on how to deal with messages that do not meet SPF and DKIM requirements. DMARC also allows reports to be received on the actions taken by mail servers receiving messages. These rules become part of the domain's DNS records.

When a mail server receives a message, it verifies the DNS records of the respective sender domain to check the DMARC policy and evaluates the message according to three guidelines:

  • whether the DKIM is valid

  • whether the SPF contains the IP of the sender server

  • whether the domains in the headers (from and return_path) are the same as the domain in the sender's address (in the "from" field)

After verification, based on the DMARC policy set by the sender, the server 'decides' what to do with the message and sends a report to the sender.

Why configure DMARC?

SPF and DKIM focus on message authentication in terms of source and content integrity, and DMARC further aggregates these mechanisms to enable the establishment of message handling policies and reporting on actions taken by mail servers. Configuring SPF and DKIM according to DMARC can increase the effectiveness of security against forgery and phishing attacks.

Do you need additional help?

If you have any additional questions about working with the sender domain and DKIM in edrone, please contact us at hello@edrone.me.

Related Articles
DKIM - what is it and how to add it to messages from edrone?
Changes made by Google and Yahoo that will impact your deliverability!!
SPF - what is it and how to add it to messages from edrone?
Where to add authentication entries? SPF, DKIM, DMARC
DMARC alignment types
Did this answer your question?