What is a DMARC Record and How Does it Work
Did you know that 94% of successful cyberattacks start with a phishing email? That means your domain can easily be targeted if it is not properly protected.
If you send emails from your domain, protecting it is no longer optional. Cyberattacks like phishing and spoofing are becoming more common, and they often target domains that are not properly secured. This is where DMARC comes in.
If you have been trying to understand what is DMARC or what is a DMARC record, the concept can feel technical at first. But in reality, it is a simple way to control how your emails are verified and handled. In this guide, you will learn how DMARC works, what it does behind the scenes, and how you can set it up correctly without confusion.
What is DMARC
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email authentication method that helps protect your domain from being used in spam or phishing attacks. It is basically a rule you add to your domain that tells email providers how to check messages sent from your domain. It works with SPF and DKIM to verify if an email is legitimate.
If the email fails these checks, DMARC instructs the receiving server on what to do with it. This could be to do nothing, send it to spam, or reject it completely. DMARC also sends reports so you can see who is sending emails using your domain and spot any unauthorized activity.
How Does DMARC Work
DMARC's working sounds confusing at first, but here is a simpler explanation that gets you through the basics:
Step 1: Email is Sent From Your Domain
Everything starts when an email is sent using your domain name. This could be from your email service provider, marketing tool, or internal system. The receiving server takes note of the domain used in the "From" address and prepares to verify if the sender is allowed to use it.
Step 2: SPF and DKIM Checks Are Performed
Next, the receiving server checks SPF and DKIM. SPF confirms whether the sending server is authorized to send emails for your domain. DKIM checks if the email content was changed during transit. These two checks build the foundation for how DMARC works.
Step 3: DMARC Alignment is Evaluated
The domain used in SPF and DKIM must match the domain in the "From" address. This match can be exact or close, depending on your settings. DMARC alignment matters because it ensures the email truly represents your domain and not a lookalike.
Step 4: DMARC Policy is Applied
If the email fails checks or alignment, DMARC applies your policy. With p=none, nothing happens and the email is delivered. With p=quarantine, it may go to spam. With p=reject, it is blocked completely. This is what a DMARC record controls in real time.
Step 5: Reports are Generated
After processing, reports are sent to you. Aggregate reports give an overview of all email activity. Forensic reports show details of specific failures. These insights help you monitor usage, fix issues, and understand what DMARC does in practice.
The DMARC reports are in the XML format that is not human friendly. So you can use EasyDMARC's Report Analyzer to get reports that are easy-to-read.
What is a DMARC Record
A DMARC record is the actual entry you publish in your DNS that puts DMARC into action. It is written as a single line of text and placed under a specific name, usually _dmarc.yourdomain.com.
Instead of explaining the concept again, think of it as the technical setup behind DMARC. Without this record, DMARC cannot exist for your domain.
A typical DMARC record looks something like this:
v=DMARC1; p=none; rua=mailto:[email protected]
Each part of this line has a specific role.
- The
vtag defines the DMARC version. - The
ptag sets your policy. - The
ruatag tells where you want to receive reports.
You can also add more tags to control how strict the checks should be, how much of your traffic is affected, and where failure reports should go. In simple terms, the DMARC record is where you configure your rules, control your enforcement level, and define how you want visibility into your domain's email activity.
Key Tags of a DMARC Record
| Tag | What It Does | How It Is Used | Requirement |
|---|---|---|---|
v (Version) | Identifies the DMARC version being used. | Always set as v=DMARC1 and placed at the beginning of the record. | Mandatory |
p (Policy) | Decides how failed emails should be handled. | Set to none, quarantine, or reject based on how strictly you want to enforce DMARC. | Mandatory |
pct (Percentage) | Controls how much of your email traffic is affected by the policy. | Example: pct=50 applies the policy to half of your emails. | Optional |
sp (Subdomain Policy) | Sets rules specifically for subdomains. | Used when you want subdomains to follow a different policy than the main domain. | Optional |
rua (Aggregate Reports) | Specifies where summary reports should be sent. | Add an email address to receive overall DMARC activity reports. | Optional |
ruf (Forensic Reports) | Sends detailed reports for individual failures. | Add an email to receive failure-level reports for deeper investigation. | Optional |
fo (Failure Options) | Controls when failure reports are triggered. | Use values like 0, 1, d, or s to define reporting conditions. | Optional |
aspf (SPF Alignment) | Defines how strictly SPF should match your domain. | Set to r for relaxed matching or s for exact domain matching. | Optional |
adkim (DKIM Alignment) | Defines how strictly DKIM should match your domain. | Set to r for relaxed or s for strict alignment. | Optional |
rf (Report Format) | Sets the format for forensic reports. | Commonly set as afrf, which is widely supported. | Optional |
ri (Reporting Interval) | Decides how often reports are sent. | Set in seconds, like 86400 for daily reports. | Optional |
How to Create and Add a DMARC Record
Setting up DMARC may sound technical, but if you follow the steps one by one, it becomes simple.
Step 1: Set Up SPF and DKIM First
Before creating a DMARC record, you need SPF and DKIM in place. Make sure you include all your sending sources like email providers, marketing tools, and CRM platforms. Missing even one source can cause emails to fail.
You can use EasyDMARC SPF Generator and DKIM Generator to create accurate records without errors.
Step 2: Build Your DMARC Record
Once SPF and DKIM are ready, the next step is to prepare the DMARC entry that you will add to your DNS. To avoid syntax errors and save time, you can create the record using EasyDMARC DMARC Generator.
Step 3: Choose your DMARC policy
This step defines what DMARC does when emails fail checks.
p=none: Only monitor emailsp=quarantine: Send suspicious emails to spamp=reject: Block failed emails completely
It is always safer to start with none and move step by step to stricter policies.
Step 4: Publish the Record in your DNS
Go to your domain's DNS settings and add a new TXT record.
- Host/Name:
_dmarc - Type: TXT
- Value: Your DMARC record
Once saved, your record becomes visible to email servers across the internet.
Step 5: Verify Your Setup
After publishing, check if everything is working correctly. Even a small mistake can break your setup. You can use EasyDMARC DMARC Lookup Tool to confirm your record is valid and active.
Step 6: Monitor Reports and Improve
DMARC reports give you insights into who is sending emails from your domain. Review them regularly to find issues and unauthorized activity. Over time, fix any gaps and move towards stricter enforcement for better protection.
Final Thoughts on DMARC Record Configuration
DMARC gives you control over how your domain is used in email communication. It helps you monitor activity, fix authentication gaps, and stop unauthorized senders from misusing your domain. Once set up correctly, it improves both your email security and deliverability.
The key is to start simple, monitor your reports, and gradually move towards stricter policies. Small steps can make a big difference over time.
We understand it can be confusing to set up DMARC on your own. So, reach out to our team of experts. We can help you move to full DMARC enforcement quickly. Our team and tools are built to handle even complex setups, helping large enterprises achieve enforcement in around 40 to 50 days. For small and mid-sized businesses, the process is much faster and can often be completed within a few days. Start EasyDMARC's free 14 day trial where we will sort out all your email authentication problems.
Frequently Asked Questions
Do I need both SPF and DKIM for DMARC to work?
No, DMARC requires at least one of them to pass and align. However, using both SPF and DKIM is strongly recommended because it improves security and reduces the chances of legitimate emails failing.
How long does it take for a DMARC record to start working?
Once you publish your DMARC record in DNS, it can take a few minutes to a few hours to propagate. After that, email servers will start applying your policy and generating reports.
Can DMARC block all phishing emails?
DMARC significantly reduces phishing and spoofing, but it cannot stop every type of attack. It mainly protects against emails that try to directly use your domain. Other advanced attacks may still require additional security layers.
What happens if I set the wrong DMARC policy?
If your policy is too strict without proper setup, legitimate emails may get blocked or sent to spam. That is why it is best to start with p=none, monitor reports, and then gradually move to stricter policies.