DMARC Validation DMARC Validation

What is a DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's a TXT record added to a domain DNS record. It specifies the policy that the email owner wants to implement and the recipient's server has to follow.

It protects both the email sender and recipient from spam, spoofing, and phishing.

The record allows you to set policies on

  • Who can send you the email based on your SPF and DKIM records?
  • It also supplements SMTP.

If the DMARC record is published for the domain, it has the following main functions.

  1. Tell the recipient's server to do either.
    1. Quarantine the email.
    2. Reject the email.
    3. Allow the email to continue delivery.
  2. DMARC allows you to receive your domain's sending activity reports. Through support from ISPs (Gmail, Yahoo, Microsoft, and more), send reports to the email address(es) containing all the domain's messages.

How does DMARC work?

The DMARC relies on the established DKIM and SPF for email authentication.

  1. When the email owner publishes the DMARC policy, it bound the receiving email server on how to handle the email if it fails DMARC validation.
  2. When the receiving email server receives the email, it performs the DNS lookup for the DMARC policy for the domain included in the message's "From" header. The server then checks and evaluates the email on three determinants.
    1. Does the email DKIM signature validate?
    2. Did the email come from IP addresses allowed to send emails on the domain's behalf (SPF records)?
    3. Do the headers in the email show proper "domain alignment"?
  3. With this information, the receiving server is ready to apply the sender domain's DMARC policy to determine whether to accept, reject, or otherwise flag the email.
  4. After using the DMARC policy to determine the email's proper disposition, the receiving mail server will report to sending domain owner about the outcome.

Available DMARC policies

The encounter against spam and email scam continues. DMARC is a potent tool when it comes to stopping email spoofing.

The DMARC record makes the domain owner choose from three policies. To specify their preferred treatment for the email that fails DMARC authentication.

These three policies are

  • None: Treat the email the same, as it would be without any DMARC validation. That policy is adopted when your motive is to collect data and monitor your current email channel(s).
  • Quarantine: Accept the email but placed it somewhere else other than the recipient's inbox. Usually, such emails are placed in the spam folder.
  • Reject: Reject the email that fails DMARC validation.

What does DMARC domain alignment mean?

When an email is sent, the "From" contains the domain name after @ within the email address. Your DKIM should also have the same domain name embedded into the key string.

DMARC tries to tie the SPF and DKIM results to the email content, particularly to the domain found in the "From" header of an email.

Having the SPF and DKIM align means that your email will pass the DMARC validation.

How to implement a DMARC record on your domain?

DMARC setup is highly complicated and risky to implement.

When you implement the DMARC policy without knowing your sending email sources like mailboxes, email marketing, CRM, transactional email, server alerts, etc., you could potentially reject all your legitimate emails.


Therefore, it is recommended that first, you set your DMARC policy p=none to receive the report of all your sending email sources. Then slowly align all outgoing emails with DKIM and SPF for your domain.

Monitor the aggregate reports daily. After some time, if you are comfortable, then slowly deploy the quarantine, then reject the policy.

Example of a DMARC record

A DMARC record's name when creating a TXT record is "_dmarc" which forms a TXT record such as _dmarc.mydomain.com.

A DMARC record syntax looks like this. v=DMARC1\; p=none\; rua=mailto:CUSTOMERID@mydomain.com\; ruf=mailto:CUSTOMERID@mydomain.com\; pct=100

Here,

  • v=DMARC1 specifies the DMARC version.
  • p=none determines the DMARC policy to implement.
  • rua=mailto:CUSTOMERID@mydomain.com is the email to which aggregate reports should be sent.
  • ruf=mailto:CUSTOMERID@mydomain.com is the email to which forensic reports should be sent.
  • pct=100 is the percentage of emails to which the domain owner would like to implement its DMARC policy. It allows you to define how many emails you would like to be filtered based on the DMARC results. Since 100% is the default one. You can adjust that percentage as per your need. Passing "pct=20" in your DMARC TXT record means that only one-fifth of the total emails are affected by the policy.

Other tags might include

  • rf: which specifies the format for message-specific forensic information reports (rf=afrf).
  • sp: determines the policy for the subdomains (sp=r).
  • aspf: specifies the Alignment mode for SPF (aspf=r).
  • adkim: specifies the Alignment mode for DKIM (adkim=r).

Note: The above tags are the basic ones. However, additional tags are available for a domain owner to use in its DMARC policy record. Only the v(version) and p(policy) tags are required. Other tags are optional.

What is a DMARC report?

DMARC reports are generated by the receiving email server based on the DMARC validation process. There are two types or formats of DMARC reports.

  • Aggregate reports: These reports are sent daily. These reports are XML documents that show the statistics about the received message, claimed to be from a particular domain. These reports are designed to be machine-readable and show the authentication results and message disposition.
  • Forensic reports: These are the real-time reports that are sent on failure. These reports are individual copies of the emails that failed authentication. These reports help troubleshoot a domain's authentication issues and identify malicious domains and websites.

DMARC policy: a request or an obligation?

One important thing to note is that DMARC policy is a request, not an obligation for the recipient email server.

Sometimes, the receiving email server applies its local policy when it thinks that the email is legitimate. It means that the email can still land in the receiver inbox, even if it fails DMARC validation. Usually, email receivers will override DMARC policy with local policy.

How to validate and perform DMARC record lookup?

To validate the DMARC record. Perform the following steps.

  • Open the DMARC Check & DMARC Lookup tool.
  • Enter the domain/host address in the space provided for that purpose and click the "Lookup DMARC" button.
  • The tool will perform the DMARC lookup for record validation and will validate the DMARC record on the following checks.
    1. Require the DMARC record in the DNS so that it can validate it.
    2. Are RUA / RUF domains valid?
    3. Check which DMARC policy is enabled.

Do I need DMARC?

If you are from an e-commerce business or your company is sending transactional or commercial emails, you must apply more than one email authentication method to verify that an email is actually from you or your business. Easily generate a DMARC record with our free tool. More free developer tools are also available.

DMARC helps the recipient email server to evaluate the emails claiming to be coming from your domain. That is one of the essential steps you can take to improve your deliverability.