Question 1

What is a DMARC record?

Accepted Answer

DMARC (Domain-based Message Authentication, Reporting and Conformance) DNS TXT record defines how to handle emails failing SPF/DKIM authentication. Format: _dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:reports@example.com". Tags: p (policy), rua (aggregate reports), ruf (forensic reports), pct (percentage), adkim/aspf (alignment). Protects against spoofing, provides visibility into email authentication failures.

Question 2

What DMARC policy should I use?

Accepted Answer

Start with p=none (monitor only) for 2-4 weeks. Review aggregate reports to identify legitimate senders and authentication issues. Fix issues, then upgrade to p=quarantine (spam folder) for another month. Finally, set p=reject (block) for maximum protection. Aggressive timeline: p=reject immediately if confident in SPF/DKIM setup. Use pct=10 to test policies on 10% of email before full rollout. Monitor continuously.

Question 3

What are DMARC aggregate reports?

Accepted Answer

DMARC aggregate reports (rua) are daily XML files showing authentication results for your domain. Contains: sending IPs, SPF/DKIM/DMARC results, message volume, alignment status. Sent to rua= email addresses. Use parsers (dmarcian, Postmark, PowerDMARC) to analyze. Identifies: legitimate servers needing SPF includes, spoofing attempts, misconfigured authentication. Essential for policy enforcement. Enable reports before enforcing strict policies.

Question 4

How to add DMARC record to DNS?

Accepted Answer

Create TXT record at _dmarc.yourdomain.com with generated DMARC policy. Example: _dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com". DNS propagation takes 1-48 hours. Verify: dig TXT _dmarc.example.com or use online validators. Subdomain policy: use sp= tag or separate _dmarc record per subdomain. Update TTL to 300 for testing, increase to 3600+ for production. Monitor reports after deployment.

Question 5

What is DMARC alignment?

Accepted Answer

DMARC alignment ensures From: header domain matches authenticated domain. Two types: SPF alignment (From vs Return-Path domain), DKIM alignment (From vs DKIM d= domain). Modes: relaxed (subdomains allowed) or strict (exact match). Example: email from newsletter@example.com with SPF authenticated @mail.example.com - relaxed passes, strict fails. Set with aspf=/adkim= tags. Strict mode prevents subdomain spoofing but requires careful configuration.

Question 6

How to handle DMARC forensic reports?

Accepted Answer

Forensic reports (ruf) provide individual email samples failing authentication. Contains full headers and redacted body. Privacy concerns: often disabled by receivers. Enable: ruf=mailto:forensic@example.com in DMARC record. Use for: debugging specific failures, investigating spoofing attempts, validating authentication setup. Format: ruf=mailto:forensic@example.com; fo=1:d:s (failure options). Store securely - contains email metadata. Consider data protection regulations (GDPR).

Question 7

What is the pct tag in DMARC?

Accepted Answer

Percentage tag (pct) applies DMARC policy to percentage of failing emails. Example: pct=25 applies policy to 25% of failures, rest get p=none treatment. Use for: gradual policy rollout, testing p=reject impact, limiting false positives. Range: 0-100. Default: 100 (all emails). Strategy: start pct=10 with p=quarantine, monitor impact, increase gradually to pct=100. Remove pct tag once at 100. No effect on reporting - all failures reported.

Question 8

How to protect subdomains with DMARC?

Accepted Answer

Subdomain policy: add sp= tag for subdomain default policy. Example: v=DMARC1; p=reject; sp=quarantine (strict for root, quarantine for subdomains). Or create specific _dmarc records per subdomain. Wildcard: create _dmarc.*.example.com if DNS provider supports. Unused subdomains: set sp=reject to prevent abuse. Organizational domain policy applies if no subdomain DMARC record exists. Test with email from subdomain before enforcing.

DMARC Generator

Quick Start Templates

Monitoring

Features:

Quarantine

Features:

Strict Rejection

Features:

Gradual Rollout

Features:

Need Professional IT Services?

References & Citations

Frequently Asked Questions