Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol which helps protect you by preventing unauthorised people sending from your domain. When a server receives an email it will check against your DMARC record. DMARK works by using the SPF and DKIM records to work out if an email is authentic then telling the receiving server whether or not to accept that email. Many businesses now require DMARC so if you do not have it properly configured your email may not be accepted.


Here is the value you need to edit and put into your Domain Name System (DNS): 

_dmarc.example.com "TXT" "v=DMARC1;p=none;pct=100;rua=mailto:"

Detailed Explaination

To help explain what's required, here's a breakdown of the components:

This identifies the protocol version and lets the receiving server know if you have DMARC setup. 

DMARC receivers will report statistics about messages from this domain, and will reject messages which fail DMARC Authentication. Quarantined messages be marked as such. 


They system will let all mail to be received by the recipient.


Quarantine: The email is put into a external mailbox where it is up to the recipient to decide.
Spam Folder: The email is delivered to the recipients spam folder
Dropped: The email is blocked (This usually only happens if the email has other bad qualities and the tag pushed the email over the spam limit) 


Advises the receiving server to reject any email that fails any DKIM and/or SPF checks.

pct=100 (Optional)
The reject policy will apply to 100% of unauthenticated messages from this domain, you can change this to be any number between 1 and 100.

rua=mailto:  (Optional)
DMARC aggregate data about messages from this domain will be e-mailed to the supplied email address once per day.

ruf=mailto:  (Optional)
Samples of messages failing either DMARC-SPF or DMARC-DKIM will be e-mailed to the supplied email address as they happen. 

sp = reject (Optional)
Policy for subdomains, uses the same expressions as 'p'.

adkim=r (Optional)
Optional. Set the alignment mode for DKIM. There are two options either 'r' or 's', by default it is set to 'r'.
s: strict, the sender domain name must exactly match the corresponding d=name.
r: relaxed,  any subdomain of d=domain (in the mail headers) will also be accepted.

aspf=r (Optional)
Optional. Set the alignment mode for SPF. There are two options either 'r' or 's', by default it is set to 'r'.
s: In strict mode the domain.name in the MAIL FROM command (in SMTP) and the from: header (in the mail item) must match exactly
r: In relaxed mode any valid subdomain of domain.name is acceptable.

rf=afrf (Optional)
The reporting format for individual Forensic reports. Can be either "afrf" or "iodef".
Afrf – Message format for error reporting (Abuse Report format) is defined by RFC 5965.
iodef – Message format for error reporting (Incident Object Description Exchange Format) is defined by RFC 5070.

ri=86400 (Optional)
The reporting interval for how often you'd like to receive aggregate XML reports. You'll likely receive reports once a day regardless of this setting.

fo=0 (Optional)
Forensic reporting options. Possible values: "0" to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result, "1" to generate reports if any mechanisms fail, "d" to generate report if DKIM signature failed to verify, "s" if SPF failed.

You can use the tools found at mxtoolbox.com to confirm your domain is correctly configured for DMARC.

Was this article helpful?

Related Articles