Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol which directs end mail servers on what they should do with an email which doesn’t match the sending domain’s existing SPF and DKIM validation.

This allows you to tell the end mail system if it should deliver the message, quarantine or reject. It also allows it to be reported back to you so that you can analyse any phishing attempts.


Reading DMARC reports are system level and expected to be completed by automated analysis tools or experienced mail administrators.


Before adding a DMARC record, you must first configure and properly validate your SPF record and DKIM singing:


Here is the value you need to edit and put into your Domain Name System (DNS): 

_dmarc.example.com "TXT" "v=DMARC1; p=quarantine; pct=100; rua=mailto:"

Detailed Explanation

To help explain what’s required, here’s a breakdown of the components:

This identifies the protocol version and lets the receiving server know if you have DMARC setup. 

DMARC receivers will report statistics about messages from this domain, and will reject messages which fail DMARC Authentication. Quarantined messages be marked as such. 


They system will let all mail to be received by the recipient.


Quarantine: The email is put into a external mailbox where it is up to the recipient to decide.
Spam Folder: The email is delivered to the recipients spam folder
Dropped: The email is blocked (This usually only happens if the email has other bad qualities and the tag pushed the email over the spam limit) 


Advises the receiving server to reject any email that fails any DKIM and/or SPF checks.

pct=100 (Optional)
The reject policy will apply to 100% of unauthenticated messages from this domain, you can change this to be any number between 1 and 100.

rua=mailto:  (Optional)
DMARC aggregate data about messages from this domain will be e-mailed to the supplied email address once per day.

ruf=mailto:  (Optional)
Samples of messages failing either DMARC-SPF or DMARC-DKIM will be e-mailed to the supplied email address as they happen. 

sp = reject (Optional)
Policy for subdomains, uses the same expressions as ‘p’.

adkim=r (Optional)
Optional. Set the alignment mode for DKIM. There are two options either ‘r’ or ‘s’, by default it is set to ‘r’.
s: strict, the sender domain name must exactly match the corresponding d=name.
r: relaxed,  any subdomain of d=domain (in the mail headers) will also be accepted.

aspf=r (Optional)
Optional. Set the alignment mode for SPF. There are two options either ‘r’ or ‘s’, by default it is set to ‘r’.
s: In strict mode the domain.name in the MAIL FROM command (in SMTP) and the from: header (in the mail item) must match exactly
r: In relaxed mode any valid subdomain of domain.name is acceptable.

rf=afrf (Optional)
The reporting format for individual Forensic reports. Can be either “afrf” or “iodef”.
Afrf – Message format for error reporting (Abuse Report format) is defined by RFC 5965.
iodef – Message format for error reporting (Incident Object Description Exchange Format) is defined by RFC 5070.

ri=86400 (Optional)
The reporting interval for how often you’d like to receive aggregate XML reports. You’ll likely receive reports once a day regardless of this setting.

fo=0 (Optional)
Forensic reporting options. Possible values: “0” to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result, “1” to generate reports if any mechanisms fail, “d” to generate report if DKIM signature failed to verify, “s” if SPF failed.

You can use the tools found at mxtoolbox.com to confirm your domain is correctly configured for DMARC.

Was this article helpful?

Related Articles