DNS record is a type of TXT record published in the DNS of a domain, containing policies and instructions for handling emails that fail SPF and DKIM checks. This record helps in mitigating email spoofing and phishing by providing email receivers with a mechanism to authenticate the messages, enhancing email deliverability and security.

DMARC overview

DMARC, which stands for Domain-based Message Authentication Reporting and Conformance, is an email protocol that uses SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to ascertain the authenticity of an email message. It aims to prevent email-based abuse, such as phishing and spoofing, which are often used in cyber-attacks.

DMARC works by allowing domain owners to publish policies in their DNS records that define their email authentication practices and provide instructions for receiving mail servers (such as Gmail, Yahoo, etc.) on how to handle emails that fail the checks. These instructions can guide the receiver to either quarantine or reject non-authenticated emails, helping to protect both the sender's reputation and the recipient's security.

Creating DMARC records

For assistance in formulating a DMARC record, MailSlurp's DMARC Record Assistant can be of use or read on. DMARC records are basically DNS TXT records that have the name and the value something like .

Mandatory tags

  • : This tag is used to pinpoint the DMARC record version retrieved. The value should be set as DMARC1 and placed as the first item in the DMARC record.
  • : This tag signals the enforcement policy that you want the mailbox providers to adopt when your email doesn't pass DMARC verification and alignment tests. This policy is enforced on the main domain (example.com) and all its subdomains (m.example.com, b.example.com, etc.), unless the tag (see below) is utilized with a different policy value. More information on the distinct policy values can be accessed here. The policy values consist of:
    • none
    • quarantine
    • reject

Suggested but optional tags

  • : This tag advises mailbox providers of the desired destination for aggregate reports. These reports offer a macro perspective into your email program's efficiency by helping pinpoint possible authentication issues or suspicious activities. Such comprehensive information is provided daily by participating mailbox providers.
  • : This tag informs mailbox providers of your intent to receive samples of emails that didn't pass either SPF and/or DKIM tests. Four options are available:
    • 0: Generate a DMARC failure report if all underlying authentication mechanisms (SPF and DKIM) fail to result in an aligned "pass." (default)
    • 1: Generate a DMARC failure report if any underlying authentication mechanism (SPF or DKIM) resulted in a non-aligned "pass." (recommended)
    • d: Generate a DKIM failure report if the message contained a signature that didn't pass the evaluation, regardless of its alignment.
    • s: Generate an SPF failure report if the message didn't pass the SPF test, regardless of its alignment.

Optional tags

  • : This tag can be utilized to specify a policy for all subdomains where mail isn't passing DMARC verification and alignment tests. It proves most useful when a domain owner desires to implement different policies for the main domain and all subdomains. The policy options are the same as those of the "p" tag. If this tag isn't utilized for subdomains, the policy defined by the tag will be implemented on the main domain and all its subdomains.
  • : Specifies strict (s) or relaxed (r) DKIM identifier alignment. The default is relaxed (r).
  • : Specifies strict (s) or relaxed (r) SPF identifier alignment. The default is relaxed (r).
  • : The proportion of messages that should be affected by the DMARC policy. This tag allows for gradual application and evaluation of the policy's effect. The values range from 1 - 100, with the default value being 100.
  • : This tag indicates to mailbox providers where you would like your forensic (message-level) reports to be sent. These reports are more detailed and are designed to be provided by mailbox providers almost immediately after a DMARC verification failure is detected. However, due to potential privacy and performance issues, most mailbox providers do not send them.
  • : Format for message failure reports. The default is Authentication Failure Reporting Format, or "afrf." Afrf is the only value supported currently.
  • : The duration in seconds between sending aggregate reports to the sender. The default value is 86400 seconds, equivalent to one day.

Checking a DMARC tags validity

To validate your DKIM tag use the MailSlurp DMARC validation tool.