How to build a DMARC record

Introduction

This is a basic guide on how to craft a DMARC record for your domain. For more extensive information, reference the dmarc.org site. Below shows the anatomy of a DMARC record in an effort to show what options are available and what to use in crafting a new DMARC record.

We would also like to mention that DMARC records are "all-for-one", in that, they would apply to all emails for the domain. Please use caution when crafting a new record.

Procedure

DMARC works in conjunction with SPF and DKIM to help ensure legitimate email authenticates in the correct manner. This is done by settings a policy on what do so with emails that do match the DMARC record settings.

A sample DMARC record for a test domain: cptest@domain.tld

Raw DMARC TXT record:

_dmarc.domain.tld. 897 IN TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@domain.tld; ruf=mailto:dmarc-reports@bounces.domain.tld"

This record contains the following information:

record name: _dmarc.domain.tld.
Protocal version: (v) - v=DMARC1
Policy: (p) - p=quarantine
Percentage of messages for filtering: (pct) - pct=100
Reporting URI for aggregate reports: (rua) - rua=mailto:dmarc-reports@domain.tld
Reporting URI for forensic reports: (ruf) - ruf=mailto:dmarc-reports@bounces.domain.tld

In the above example, the DMARC records would cause the receiver to quarantine all email messages that are non-aligned with the SPF and/or DKIM record of the domain 100% of the time. And send a report to the two email addresses for analysts.

DMARC has more options that can be used than the above. For a full list, we recommend reviewing the "Anatomy of a DMARC resource record in the DNS" section of the dmarc.org webpage.

https://dmarc.org/overview/

Searching for the domain from this third-party site will show any current settings, as well as more detailed information regarding the DMARC options.

https://dmarcian.com/dmarc-inspector/

The DMARC record needs only be placed on the authoritative DNS servers and is a DNS TXT record.

If your nameservers are hosted with us, then you can add the record to your domain's DNS using the cPanel Zone Editor or if you are using the domain registrar provided name servers then you can manage your DNS by logging to the billing portal and accessing your domain and then navigating to DNS Management.

Here is how your DMARC TXT record may look:

v=DMARC1; p=reject; adkim=s; aspf=s; pct=100;

Explanation of the components:

v=DMARC1: This indicates the DMARC version, always set to DMARC1.

p=reject: This policy instructs receiving mail servers to reject emails that fail DMARC checks.

adkim=s: This sets strict alignment for DKIM, requiring an exact match between the DKIM domain and the From domain.

aspf=s: This sets strict alignment for SPF, also requiring an exact match between the SPF domain and the From domain.

pct=100: This specifies that the policy applies to 100% of emails that fail DMARC validation. Including this tag is optional if you intend to apply the policy to all failing emails since it is the default behavior.

You should add this record to your domain's DNS settings as a TXT record for _dmarc.yourdomain.com, replacing yourdomain.com with your actual domain name.

 

Was this answer helpful?

 Print this Article

Also Read

What is RBL?

RBL is short for Realtime Blackhole List, a list of IP addresses whose owners refuse to stop the...

What is your SPAM policy?

When you sign up for a QSS hosting account, you agree not to use the account to send spam,...

Domain has exceeded the max defers and failures per hour

What is this error?If you are receiving an error similar to "Domain example.com has exceeded the...

Email spoofing: Your account has been hacked

What is email spoofing? Email spoofing is the forgery of an email header so that the message...

Google Email MX Setup in cPanel

Login to your cPanel and open Zone Editor Click on Manage Remove all existing MX records Add...