Appearance
DMARC Records
DMARC (Domain-based Message Authentication, Reporting, and Conformance) helps protect your domain from email spoofing and provides visibility into email authentication results. Setting up DMARC is now recommended for all domains to improve email deliverability and security.
Quick Setup: Safe DMARC Record for Everyone
If you want a simple, safe DMARC record that won't affect your email delivery and doesn't require dealing with reports, use this:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; sp=none; adkim=r; aspf=r;This configuration:
- Doesn't affect mail delivery (
p=none) - Doesn't generate any reports to manage
- Applies relaxed alignment for both DKIM and SPF
- Signals to email providers that you care about email authentication
Understanding DMARC Components
DMARC records consist of several parts:
| Tag | Name | Description |
|---|---|---|
| v | Version | Always set to DMARC1 |
| p | Policy | What to do with messages that fail authentication |
| rua | Reporting URI for Aggregate reports | Where to send summary reports |
| ruf | Reporting URI for Forensic reports | Where to send detailed failure reports |
| sp | Subdomain Policy | Policy for subdomains |
| adkim | DKIM Alignment Mode | Strict or relaxed |
| aspf | SPF Alignment Mode | Strict or relaxed |
| pct | Percent | Percentage of messages subject to filtering |
Policy Options Explained
The policy tag (p=) is the most important part of your DMARC record:
- p=none: Monitor only - emails that fail DMARC will still be delivered
- p=quarantine: Suspicious emails may be sent to spam folder
- p=reject: Emails that fail DMARC should be blocked
Recommended Implementation Path
- Start with basic policy (
p=none) without reporting - Ensure proper SPF and DKIM configuration
- If you want to advance your email security:
- Add reporting (optional) by adding
rua=mailto:youremail@example.com - Review reports for at least 2-4 weeks to identify legitimate mail sources
- Move to
p=quarantinewith a low percentage (pct=10) when ready - Increase percentage as you confirm legitimate email is passing
- Eventually move to
p=rejectwhen confident
- Add reporting (optional) by adding
Advanced DMARC Examples
Monitoring Only
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; fo=1;Partial Quarantine
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com;Full Enforcement
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; fo=1; adkim=s; aspf=s;Important Notes
- Start cautiously with
p=noneto avoid disrupting legitimate email - Reporting is optional but helpful if you want to advance to stricter policies
- DMARC requires proper SPF and DKIM setup to be fully effective
- Test thoroughly before moving to stricter policies
Report Handling (Optional)
If you decide to use reporting (rua= tag), be aware that the reports:
- Are XML files which aren't easy to read
- Can quickly fill up an inbox
- Require technical knowledge to interpret
⚠️ Important Warning: Google doesn't accept forwarded DMARC reports from themselves. Do not have DMARC reports sent to an email address that forwards to Gmail, as this increases delivery failure statistics for your domain and MXroute's IPs.
If you still want to use reports, you can:
- Set up a dedicated mailbox for DMARC reports (not forwarded to Gmail)
- Use a DMARC report analyzer service
- Forward reports to a non-Google service that provides readable summaries
Prerequisites
For DMARC to work effectively, you should first implement:
- SPF Records for your domain
- DKIM signing for your outgoing email
These authentication methods provide the foundation for DMARC to work properly.