Create a DMARC record

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that works together with DKIM and SPF. It helps email service providers confirm that your messages are legitimate, and it lets you monitor who is sending email using your domain.

DMARC is optional but strongly recommended for every sending domain.

What a DMARC record does

DMARC checks whether an email sent from your domain matches your domain DKIM and SPF records. If a message doesn’t match, DMARC tells mail providers what to do with it.

DMARC also sends you activity reports, so you can see:

• which services are sending email using your domain
• whether your legitimate email is passing authentication
• whether anyone is trying to spoof your domain

DMARC also provides optional reporting so you can receive daily summaries about how your domain is being used.

Step 1: Choose your DMARC policy

A DMARC record is created at your domain host. Every DMARC record includes a few basic parts:

• v=DMARC1: The DMARC version.
• p=none: Policy value is “none.” This instructs mail servers to monitor emails but take no action if the sender cannot be authenticated.
• rua=mailto:youremail@domain.com: Specifies the email address that should receive reports of emailing activity for your domain.
  • In your record, replace "youremail@domain.com" with the email address where you want to receive DMARC reports. The address must be located on the same domain as the DMARC record OR be issued by a DMARC monitoring service.

Policy options

The DMARC policy (defined though the “p=” part) dictates what should happen with a message that could not be verified with DKIM or SPF. 

The policy is usually set to one of these values:

• p=none: monitor only; take no action (recommended starting point)
• p=quarantine: treat failing messages as suspicious
• p=reject: block failing messages completely

If you are new to sender verification, it’s best to take a cautious approach to your initial DMARC policy and set it to “none,” with a plan to increase the strictness.

A finished DMARC record value with these components looks like this:

• v=DMARC1; p=none; rua=mailto:youremail@domain.com;

Step 2: Create your DMARC record

You can create your own DMARC record using the example above, or you can use a DMARC monitoring service (such as Valimail) to generate one for you.

If you use a monitoring service, simply copy the record they provide.

Step 3: Add the DMARC record to your DNS

1. Log in to your domain registrar or DNS provider.
2. Open DNS Settings or DNS Management.
3. Add a new TXT record.
4. Enter the following:
   • Host / Name: _dmarc
   • Value / Content: your DMARC record
     •  (example: v=DMARC1; p=none; rua=mailto:you@yourdomain.com;)
   • TTL: Default/Automatic
5. Save your changes.

Most DNS providers update within minutes, though some can take up to an hour.

Step 4: Test your DMARC record

Use any DMARC record checker to confirm that:

• the record is published
• the format is correct
• providers can detect it

Many hosts provide their own testing tools, or you can use a service such as the DMARC checker from MxToolBox.

Step 5: Review your DMARC reports

If you included the rua email address, you will begin receiving DMARC reports (usually daily).

These reports show:

• whether your messages passed DKIM and SPF
• which services are sending email on your behalf
• whether anyone is attempting to spoof your domain

Because the reports are sent in XML format, they can be hard to read without help. A monitoring service can help summarize them for you.