1. Main page
  2. Help
  3. How to use your personal account
  4. Domains
  5. 3. DMARC: What is it, why is it needed and how to set it up

3. DMARC: What is it, why is it needed and how to set it up

3. DMARC: What is it, why is it needed and how to set it up

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance — it is a mechanism that helps domain owners protect themselves from phishing. That is, from situations where attackers send an email supposedly on your behalf. SPF and DKIM exist to verify the authenticity of the sender, but DMARC is what governs how email providers (Gmail, for example) behave when they receive a message that has failed verification.

The DMARC policy is published in DNS records. To specify a policy for the domain example.com, you need to create a TXT record for _dmarc.example.com. Example value: "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; pct=100;".
In this example, p=reject is the “policy” for emails that did not pass DMARC.

There are 3 possible values:

  • none — monitoring only, nothing is blocked;
  • quarantine — send emails to spam;
  • reject — completely reject emails, meaning they won’t even appear in the spam folder.

If the DMARC record for the domain is missing, this is treated as a none policy.

Using the rua and ruf parameters, you can receive statistics on DMARC activity in aggregated form (rua) or for each message that failed verification (ruf).

When does DMARC trigger?

DMARC is considered successful if the mail server sending the message satisfies SPF, or the message has a valid DKIM signature. Otherwise, the message fails DMARC verification.

You can specify the percentage of policy application. In our example it is pct=100; If this parameter is not set, DMARC will apply to 100% of emails. If you set, for example, pct=15;, then the chosen DMARC policy will apply to 15% of emails, and for the remaining 85% it will be equivalent to the p=none policy.

Conclusion about DMARC

Publishing DMARC is not mandatory. If this policy is not present, email providers will process messages according to their own internal rules. But if you have configured DKIM and SPF for your email, adding DMARC is a logical final step, because this policy allows rejecting messages that fail verification. Without it, the meaning of SPF and DKIM is somewhat diminished, and your email domain cannot be fully protected.

On the domain editing page in the sender-solutions.com dashboard, you will see information about the current DMARC record. If your domain does not yet have a record, you will find instructions on which record we recommend adding.