DMARC (Domain-based Message Authentication, Reporting and Conformance) was developed to limit and reduce the abuse of emails, such as mail spoofing. The specification attempts to remove the long-standing insufficiencies associated with email authentication. With DMARC you define for your domain how the recipient server should authenticate incoming e-mails and how he should handle the message in case of an error. The recipient server uses the SPF as well as the DKIM entry of the sender domain. While SPF determines who can send a message on behalf of the domain and DKIM ensures that the message comes unchanged from the sender, the DMARC specification allows the sender to make additional recommendations on how the recipient should handle the mail that does not meet the requirements in one or more cases. If the recipient of an e-mail uses the DMARC specification, this ensures a consistent verification of the authenticity of this e-mail.
DMARC uses, similar to DKIM and SPF, a TXT record in the DNS settings. A resource record is created for the subdomain "_dmarc", which describes the DMARC policy for the sender domain. Below you will find an example how the DMARC of one of the domains "test.de" might look like:
v=DMARC1;p=quarantine;pct=100;rua=mailto:RUA@test.de;ruf=mailto:RUF@example.org;adkim=s;aspf=r
Parameter | Meaning | Specification | Allowed values |
---|---|---|---|
v | Protocol version | required | "DMARC1" |
pct | Percentage of mails to be filtered | optional | integer between 0 and 100 |
ruf | Forensic report is to be sent to: | optional | "mailto:mailadress@YOURDOMAIN.tld" |
rua | Aggregated report is to be sent to: | optional | "mailto:mailadress@YOURDOMAIN.tld" |
rf | Error report format | optional | "afrf" or "iodef" |
p | Instruction, how to handle the mails of the main domain | required | "none", "quarantine" or "reject" |
sp | Instruction, how to handle the mails of the sub domain | optional | "none", "quarantine" or "reject" |
adkim | Adjustment mode for DKIM | optional | "r" or "s" |
aspf | Adjustment mode for SPF | optional | "r" or "s" |
fo | Error reporting options | optional | "0", "1", "d" "s" |
In order to generate a DMARC record for your domain, you can find a DMARC Generator.