Setting Up DMARC Records
Overview
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It tells receiving mail servers what to do when a message claiming to be from your domain fails authentication checks — and it provides reports so you can monitor abuse of your domain.
Why DMARC Matters
Without DMARC, anyone can send email that appears to come from your domain. Spammers and phishers regularly forge the “From” address to impersonate legitimate businesses. DMARC lets you:
- Prevent spoofing — Unauthorized senders are blocked or flagged.
- Improve deliverability — Authenticated domains are trusted more by receiving servers.
- Gain visibility — Aggregate reports show who is sending email on behalf of your domain.
Prerequisites
Before setting up DMARC, make sure you have:
- A valid SPF record published in your domain’s DNS.
- DKIM signing enabled and the public key published in DNS.
DMARC relies on SPF and DKIM to function. Without at least one of them, DMARC cannot authenticate messages.
Creating a DMARC Record
DMARC is published as a TXT record in DNS with the host name _dmarc.
Log in to your 10Corp domain dashboard, go to DNS Management, and add:
| Type | Host | Value |
|---|---|---|
| TXT | _dmarc | v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com |
DMARC Tags Explained
| Tag | Required | Description |
|---|---|---|
v=DMARC1 | Yes | Protocol version |
p= | Yes | Policy: none (monitor only), quarantine (send to spam), reject (block entirely) |
rua= | No | Address to receive aggregate reports |
ruf= | No | Address to receive forensic (failure) reports |
pct= | No | Percentage of messages the policy applies to (default: 100) |
adkim= | No | DKIM alignment: r (relaxed) or s (strict) |
aspf= | No | SPF alignment: r (relaxed) or s (strict) |
Recommended Rollout Strategy
Implementing DMARC should be done gradually to avoid accidentally blocking legitimate email:
Phase 1: Monitor (p=none)
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Start with p=none to collect reports without affecting delivery. Review reports for 2–4 weeks to identify all legitimate sending sources.
Phase 2: Quarantine (p=quarantine)
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com
Apply quarantine to a percentage of failing messages. Gradually increase pct as you gain confidence.
Phase 3: Reject (p=reject)
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com
Once all legitimate sources pass authentication, set the policy to reject to fully protect your domain.
Reading DMARC Reports
Aggregate reports (sent to the rua address) are XML files that can be difficult to read directly. Use free tools like DMARC Analyzer, Postmark DMARC, or dmarcian to parse and visualize the data.
Verifying Your DMARC Record
- Command line:
nslookup -type=TXT _dmarc.yourdomain.com - Online: MXToolbox DMARC Lookup
Common Mistakes
- Setting
p=rejectimmediately without monitoring first, which can block legitimate mail. - Not configuring SPF or DKIM before adding DMARC.
- Using an invalid email address for
ruareports.