DMARC is a protocol for monitoring and controlling the e-mail flows of a mail domain.
Ready to set up your first DMARC record?
In order to fully benefit from DMARC, simply set up a DMARC record in your DNS zone:
- Hostname : _dmarc.yourdomain.com
- Type : TXT
- Value : several possible values
Typically, it should not take more than 5 minutes to set up this record. The aim of this article is to present various possible values for your DMARC record that can assist your organization in fulfilling its security, legal, and control requirements.
Examples of common DMARC records:
If you wish to receive reports concerning the senders of emails that utilize your domain name, along with samples of emails sent with your domain name that do not pass their SPF or DKIM authentication tests:
v=DMARC1; p=none; rua=mailto:yourmail@yourdomain.com; ruf=mailto:yourmail@yourdomain.com; fo=1;
If you desire to receive reports regarding the senders of emails that use your domain name, but you prefer not to receive samples of emails sent with your domain name in order to avoid storing any personal data (such as email addresses and subjects):
v=DMARC1; p=none; rua=mailto:yourmail@yourdomain.com;
If you prefer for emails that have not been authenticated by your organization to be delivered to your recipients' spam folders:
v=DMARC1; p=quarantine; rua=mailto:yourmail@yourdomain.com;
If you don't want your recipients to receive emails that are not authenticated by your organization:
v=DMARC1; p=reject; rua=mailto:yourmail@yourdomain.com;
If you wish to prevent unauthenticated emails from being delivered to your recipients when they are sent from your top-level domain, but you are willing to permit the receipt of unauthenticated emails when they are sent from subdomains:
v=DMARC1; p=reject; sp=none; rua=mailto:yourmail@yourdomain.com;
If you prefer to prevent unauthenticated emails from being delivered to your recipients by your organization, but you desire for them to receive unauthenticated emails from a specific subdomain.
Set up a DMARC monitoring policy on the "subdomain" not to be monitored:
- Hostname : _dmarc.subdomaindobeprotected.yourdomain.com
- Type : TXT
- Value : v=DMARC1; p=none; rua=mailto:yourmail@yourdomain.com;
If you want your recipients to receive only 30% of your organization's unauthenticated emails in their spam folder:
v=DMARC1; p=quarantine; pct=30 ; rua=mailto:yourmail@yourdomain.com;
This DMARC record enables the gradual implementation of DMARC in "quarantine" mode, by mitigating the risks associated with potentially unidentified legitimate email sources identified during DMARC report analysis.
If you want to partition your suppliers so that they can only send e-mails to the subdomain they have been assigned:
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:yourmail@yourdomain.com;
If you use Jira, please note that Jira truncates text containing "mailto:" URLs. To ensure proper display, always utilize the {code} tag when inserting code into Jira tickets.
Monitoring DMARC reports: a regular task over time
Setting up these DMARC records will allow you to receive a large number of DMARC XML reports like this one:
After DMARC has been implemented in "blocking" mode, it is crucial to conduct regular analysis of DMARC reports to confirm that all legitimate email sources have been authenticated using SPF/DKIM. The SPF/DKIM/DMARC mechanism necessitates consistent and meticulous maintenance.
For your convenience, we have established a managed, user-friendly service to aid you in the analysis of these reports:
