Prerequisites

To get the most out of this guide, your existing emails should be passing SPF and DKIM.

What is DMARC?

DMARC (or Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol used to prevent email spoofing and protect against unauthorized use of a domain in email messages.

1. Add Flexible DMARC Record

To start, add a flexible DMARC record to your domain.

NameTypeValue
_dmarc.example.comTXT“v=DMARC1;p=none;pct=100;rua=mailto:dmarcreports@example.com

This record is specifying a few parameters (see Reference section for more details):

"v=DMARC1; p=none; pct=90; rua=mailto:dmarcreports@example.com"
  • v - Version: This is the version of DMARC
  • p - Policy: This is telling the inbox how to process messages that fail DMARC. Options are none, quarantine, reject . It’s a best practice to use at least quarantine or reject, but you should only do it once you know your messages are delivering and fully passing DMARC.
  • pct - Percentage: This specifies the percentage of failed messages that the DMARC policy should be applied to. This can be set to a lower number once you move to a quarantine or reject policy to gradually roll out.
  • rua - Reporting URI of Aggregate: This should be a valid address that can receive messages. This can be a different domain than the one you are setting the DMARC policy on, but see step 2 for instructions.

2. Test to Confirm Delivery and Passing

You should now send test emails and make sure they are delivering.

You should also inspect the email headers to find dmarc=pass .

3. Upgrade Policy

Once you feel comfortable with how DMARC is behaving across all your sending, you should upgrade your Policy to quarantine . This gives greater confidence because it tells the inbox providers that they should treat the failing messages.

You can use the pct here to do a gradual rollout.

4. Send Report to a Different Domain (Optional)

If you want to receive the DMARC reports to an address on a different domain, you need to specify in the rua of the sending domain but also add a record in the recipient domain giving access to receive the reports.

Let’s say you are sending with blue.com but want to send the reports to red.com:

NameTypeValue
blue.com._report._dmarc.red.comTXT“v=DMARC1”

Reference

ParameterPurposeExample
vProtocol versionv=DMARC1
pctPercentage of messages subjected to filteringpct=20
rufReporting URI for forensic reportsruf=mailto:authfail@example.com
ruaReporting URI of aggregate reportsrua=mailto:aggrep@example.com
pPolicy for organizational domainp=quarantine
spPolicy for subdomains of the ODsp=reject
adkimAlignment mode for DKIMadkim=s
aspfAlignment mode for SPFaspf=r

Having issues setting up DMARC? We can help.