What is a DMARC record?

What is a DMARC record?

30 July, 2020

What is a DMARC record?

A DMARC record is the core of a DMARC implementation in which the DMARC record rule sets are defined. This DMARC record informs email receivers if a domain is set up for DMARC. If so the DMARC record contains the policy which the domain owner wants to use. In essence a DMARC record a DNS (Domain Name Service) entry. One can start using DMARC by implementing a DMARC DNS record. This DMARC record will be used by email receivers who have adopted DMARC. This will result in keeping track of all the messages which have been sent to your domain taking your DMARC policy into account.

The bottom line is that this will empower the organization publishing the DMARC record to instruct how non-compliance should be handled. The messages can be monitored and delivered moved to the junk folder or rejected. 


How to create a DMARC record

DMARC (Domain-based Message Authentication Reporting and Conformance) is the best way to defend your customers, your brand, and your employees from phishing and spoofing attacks. Implementation of DMARC can get tricky at times. However, here’s a step by step guide that will help you to create DMARC Record to your domain name in just 5 steps.


Create DMARC record in 5 steps:

I. Domain Alignment Verification

The first step to create DMARC record is to open all the email headers from the emails that you send. Next task is to identify the domain or subdomain. The domain or subdomain listed in the following places:

  • The Envelope From (i.e., Return Path or Mail-From)
  • The “Friendly” From (i.e., “Header” From)
  • The d=domain in the DKIM-Signature

Check if your domain names are identical. If they are identical and you will be able to instruct mailbox providers to reject any malicious emails purporting to be from your brand. However if you don’t find the domain names to be identical do not panic. You can still create a DMARC record.


II. Email accounts Identification

Through DMARC, you will receive aggregate and forensic (message level) reports daily.

Hence, you will need to designate an email specifically for this purpose. You will receive all your reports in this email. You can choose to use two accounts to avoid getting messed up with all the data.


III. Know about DMARC Tags

DMARC tags are the language of the DMARC standard.

They instruct the email receiver:

  • To check the DMARC
  • What to do with messages that fail DMARC authentication.

There is a host of DMARC tags available, of which you will need just a few. It is advisable to keep it simple. Focus on the v=, p=, fo=, rua, and ruf tags. 


IV. Generate DMARC Text record in your DNS

For every sending domain you must generate a DMARC record.  generate a DMARC text record in your DNS for each sending domain. The mail receiver policy must be set to ‘none’ to complete the process. After doing this, you can now gather all the information on your entire email ecosystem including who is sending email on behalf of your brand, what emails are getting delivered, and what emails are not.

You must specify your email address in the ruf and rua tags to receive the reports. As an example your email address should look something like this:




rua=mailto:[email protected];

ruf=mailto:[email protected]

Now your DMARC record is ready. The next step is implementation.


V. Implementing DMARC into DNS

This is the last step to create DMARC record. Work with your DNS server administrator to add your DMARC record to DNS and start monitoring your chosen domain. Once your DMARC is added to DNS you will start receiving reports of the domain.

You will start receiving reports and see where email traffic using that domain is coming from. Probably you will be able to identify certain vendors or partners who are sending emails on your behalf of which you had no intimidation.


Request Your Complimentary Domain Analysis