What is DMARC and what is this record used for?

DMARC (Domain-based Message Authentication, Reporting and Conformance) was developed to limit and reduce the abuse of emails, such as mail spoofing. The specification attempts to remove the long-standing insufficiencies associated with email authentication. With DMARC you define for your domain how the recipient server should authenticate incoming e-mails and how he should handle the message in case of an error. The recipient server uses the SPF as well as the DKIM entry of the sender domain. While SPF determines who can send a message on behalf of the domain and DKIM ensures that the message comes unchanged from the sender, the DMARC specification allows the sender to make additional recommendations on how the recipient should handle the mail that does not meet the requirements in one or more cases. If the recipient of an e-mail uses the DMARC specification, this ensures a consistent verification of the authenticity of this e-mail.

How is DMARC structured?

DMARC uses, similar to DKIM and SPF, a TXT record in the DNS settings. A resource record is created for the subdomain "_dmarc", which describes the DMARC policy for the sender domain. Below you will find an example how the DMARC of one of the domains "test.de" might look like:

• The value for v must always be "DMARC1".
  
• For ruf or rua you can enter any valid email address on which you want to receive the reports. If you want to receive the reports on an external email address, you have to confirm that you as the owner of the external domain also want to receive the reports. This is done via a TXT entry at the external domain.
  Example: A DMARC should be set up for the domain "beispiel.de" and the reports then sent to "dmarc@example.com". With the following TXT entry the owner of the domain "example.com" can confirm that he wants to receive the reports:
  beispiel.de_report_dmarc.example.com IN TXT "v=DMARC1"
  
• The p and sp parameters specify how the receiving mail server should react if the DMARC check fails. If none is specified, no action is taken and the message is accepted. If quarantine is set, the message is automatically quarantined or moved to the spam folder. With reject, the message is getting rejected by the destination server.
  
• The matching modes for DKIM and SPF have a special meaning. For SPF, the DMARC specification requires that, first, the verification is positive and, second, the "From" header of the email has the same domain as stored in the SPF record. For DKIM, it is required that the signature is valid and, in addition, that the domain named there is the same as in the "From" header of the email. The matching modes are s for "strict" and r for "relaxed". With "strict" the domains must match exactly, with "relaxed" the "From" header may also contain a subdomain.
  
• The fo parameter controls when an error report should be generated. The default value 0 generates a DMARC error report when all underlying authentication mechanisms (SPF and DKIM) fail to produce an aligned "pass" result. At value 1, an error report is generated if any of the underlying authentication mechanisms (SPF or DKIM) return anything other than an aligned "pass" result. The value d indicates that a report should be generated if the message contained a signature that could not be evaluated, regardless of its alignment. The value s shall be used to generate a report if the message failed the SPF evaluation, regardless of its orientation. Multiple values can be separated with a colon, e.g. fo=1:d:s.
  
  

How can I generate a DMARC entry for my domain?

In order to generate a DMARC record for your domain, you can find a DMARC Generator.