A Comprehensive Guide On How To Create DMARC Records For Your Domain(s)
By creating DMARC record, how you can prevent spoofing and also protect the domains’ reputation.
In this age of rampant cybercrime, emails pose the maximum danger to network systems globally, as they are also the primary means of communication for businesses; malicious actors continue to employ various techniques like phishing, spoofing, etc. Email protection and authentication standards like SPF and DKIM help protect emails and ensure they reach the final destination. Since these standards work in conjunction with DMARC for better protection, domain owners need to create DMARC records to protect their customers and themselves fully. Hence it is essential to know how to create DMARC records and their significance in making email communication secure.
Table of Contents
What Is A DMARC record?
SPF and DKIM are two of the most commonly used standards used in the industry to authenticate emails. A DMARC record is a TXT entry within the DNS record that shows the email domain’s policy to the world when checking whether the SPF/DKIM has passed/failed.
DMARC records also inform the servers that handle the email to its destination to deliver XML reports to the reporting email address listed in them. These reports indicate how the email is moving through the email ecosystem. It also allows one to identify whoever uses the email domain.
How Does A Sample DMARC Record Look?
Here is a DMARC record example.
“v=DMARC1; p=none; rua=mailto:wbxefl4v@ag.dmarcian.com”
In this record, “v=” indicates that it is a DMARC record,
“p=” indicates the DMARC policy, which is described in the below section in more detail.
And “rua=” shows where one should send the data. RUA is a report that provides a total view of all of a domain’s traffic. RUF is another report that shows redacted forensic copies of individual emails, not necessarily 100% compliant with DMARC. While the RUA reports indicate how the email travels, the RUF reports are snippets from the emails themselves. RUA reporting is essential for DMARC deployment, whereas advanced users add the RUF tag to send more information. The RUA and RUF records are in XML, and therefore, not easy to read. Various tools are available that can translate these XML files to reader-friendly formats.
The Different DMARC Policies
Three possible policy settings are available in DMARC.
- ‘None’ Policy – The ‘None’ policy lets users monitor DMARC results while not acting on the failing emails. It enables you to start with DMARC, gather all DMARC records, and analyze the data.
- ‘Quarantine’ Policy – This policy puts all the failed emails in quarantine. Eventually, these emails find their way into the receiver’s junk folder.
- ‘Reject’ Policy – This policy rejects all the emails that fail the DMARC check. Usually, this job is done at the SMTP level.
To configure DMARC, the user should choose one of these policies to define how they want the email receivers to handle emails that fail DMARC checks.
How To Create DMARC Records?
Setting up DMARC records is crucial in today’s environment. It is essential to ensure that emails reach their final destination securely and rescue customers from the menace of spoofing and phishing. It works closely with SPF and DKIM email verification standards. If SPF and DKIM are in place, it is easy to configure DMARC by adding email policies to the domain’s DNS records in the TXT format. The below information shows the step-by-step procedure of how to create DMARC records.
- Enter The DMARC Record Details: On finalizing the record, visit the DNS hosting provider and log in. A prompt allows you to create a new record or locate the TXT section for editing any existing record. One can make the record by entering the following information on the new record creation wizard:
- Host/ Name
- Record Type
- Value
The field names can vary from one hosting provider to another.
- Select TXT DNS Record Type: Depending on the DNS hosting provider, there will be a drop-down list of DNS record types. One should select the TXT option.
- Add Host Value: The value ‘_DMARC’ must be input, and the DNS hosting provider appends the domain after that value. To add a DMARC record for a subdomain, input the value ‘_DMARC.subdomain’ in the input field.
- Add Value Information: As discussed earlier, DMARC DNS records have only two ‘required’ tag-value pairs, namely v and p.
‘v’ has a tag-value ‘v=DMARC1.’The tag-value for ‘p’ can be ‘none,’ ‘quarantine,’ or ‘reject.’ Thus, the tag-value pairs would look like ‘p=none,’ ‘p=quarantine,’ or ‘p=reject.’Generally, the new DMARC records should all start with ‘p=none’ because this policy lets one identify email delivery issues due to the domain’s SPF or DKIM. It ensures that the email is not accidentally quarantined or rejected. It is also not advisable to include the ‘rua’ tag if the resulting reports on the email’s performance are needed.Here is another DMARC example.
“v=DMARC1; p=none; rua=mailto:dmarcreports@yourdomainname.com”
One should note the following when adding the ‘value’ information.
- Of all the DMARC TXT tags, the ‘v’ and ‘p’ (‘version’ and ‘policy’) tags are compulsory, whereas the ‘rua’ tag is an option.
- Each tag needs separation by semicolons.
- A comma should separate the ‘rua’ and ‘ruf’ tags that support multiple email addresses.
- It is possible to add several advanced or optional tags like ‘ruf,’ ‘rf,’ ‘aspf,’ and ‘adkim.’ However, they are not recommended during the initial setup.
- Click On The Create/Save Option: After inputting all the details, hit the save or submit button to generate the record.
- Validation Of DMARC Record: Finally, run the DMARC record check to verify if the record has correct values and syntax.
A DMARC record generator can also help in automatic DMARC record generation. Free versions of DMARC generator programs are available to help one quickly generate a sample DMARC record.
How Does DMARC Work?
Deploying DMARC is done by publishing a DMARC record in the DNS. It authenticates if the email passes/fails SPF/DKIM. It is also referred to as DMARC alignment. The situation having DMARC protection is different from one devoid of it, as is evident from below.
What Happens Without DMARC?
Here is the situation when there is no DMARC protection.
- The filters cannot figure out whether the emails are real or fake. The recipient has to figure it out.
- There are chances of spoofing and phishing, resulting in damage to the organization’s brand value and other losses.
- There is no control over the email flow.
The Position With DMARC In Place
When there is DMARC authentication, the situation is as follows.
- The recipient can trust the domain.
- It enhances the organization’s brand value.
- It blocks unsafe emails.
Final Words
Almost 90% of all cyberattacks on network systems involve emails. It can be challenging to identify whether the email is fake or genuine without an authentication system like DMARC. Domain owners can create DMARC records to protect their domains from cyberattacks like phishing, BEC, CEO fraud, spoofing, etc.
DMARC has tremendous utility as an anti-spoofing technology. It works by helping domains filter out malicious emails and identify legitimate ones. It thus serves as an appropriate email authentication solution.
Join the thousands of organizations that use DuoCircle
Find out how affordable it is for your organization today and be pleasantly surprised.
Interested in our Partner Program for MSPs and VARs? Visit Our MSP Partner Program.