Skip to main content
DMARC Policy

This article will go through, what is DMARC, how it can help you and how it is setup.

Ron Danenberg avatar
Written by Ron Danenberg
Updated over a year ago

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine the authenticity of an email message.

What does DMARC do for you?

DMARC helps protect the domain from fraudulent emails (such as phishing attacks) and improves the delivery of legitimate email.

Example:

Here's an example of a DMARC policy for the domain example.com to add in your DNS:

HOSTNAME: _dmarc.example.com

VALUE:

v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc_reports@example.com; ruf=mailto:dmarc_reports@example.com; fo=1; adkim=s; aspf=s;

Here's a breakdown of what this DMARC policy does:

  • v=DMARC1: This defines the version of DMARC. This should always be DMARC1.

  • p=reject: This tells the email receiver what to do with mail that fails the DMARC check. Other options include none (do nothing, just collect data) and quarantine (treat as spam). The reject policy is the strongest, and tells receiving servers to reject any emails that fail DMARC checks.

  • sp=quarantine: This is the policy for subdomains. It's set to quarantine here, but can be none, quarantine, or reject just like the main policy.

  • rua=mailto:dmarc_reports@example.com: This is the email address where you would like to have aggregate reports sent. Replace dmarc_reports@example.com with your actual email address for reports.

  • ruf=mailto:dmarc_reports@example.com: This is the email address where you would like to have forensic reports sent. Again, replace dmarc_reports@example.com with your actual email address for reports.

  • fo=1: This option defines under which circumstances you want to receive forensic reports. "1" means generate a report if any mechanism fails.

  • adkim=s: This is for DKIM alignment. 's' means strict mode, 'r' means relaxed mode. Strict mode requires that the DKIM d= field exactly matches the from domain.

  • aspf=s: This is for SPF alignment. 's' means strict mode, 'r' means relaxed mode. Strict mode requires that the SPF domain exactly matches the from domain.

Please note! This is just an example DMARC policy. Depending on your email infrastructure and security needs, you might need a different policy. You should consult with your email administrator or IT department to decide on the right policy for your domain. In addition, remember that you need to publish SPF and DKIM records before you publish a DMARC record. Without SPF and DKIM, DMARC has nothing to check against.

Did this answer your question?