How To Create A DMARC Record And Avoid
Common Configuration Mistakes


DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication framework aimed at empowering domain owners to safeguard their domains against unauthorized activities like phishing and email impersonation. By setting up a DMARC record, organizations can bolster their email security and ensure that only legitimate senders are allowed to communicate using their domain.

Establishing a DMARC record can be relatively simple if you adhere to the correct procedures. However, improper configurations may result in issues such as email delivery failures, diminished reach, and potential security risks. This guide will outline the process of creating a DMARC record while also pointing out frequent configuration errors to steer clear of.


Step-by-Step Guide to Creating a DMARC Record


Step 1: Understand DMARC Components

A DMARC record is a type of TEXT entry that you include in your domain's DNS configuration. 

  • v: Indicates the DMARC version, which is always "DMARC1."

  • p: Specifies the policy action, which can be "none," "quarantine," or "reject."

  • rua: The email address designated for receiving summary reports.

  • Ruf: The email address meant for receiving detailed forensic reports.

  • pct: The percentage of emails that will be subjected to the filtering process.

  • sp: The policy applicable to subdomains.

  • A Dkim and a spf: These define the alignment settings for DKIM and SPF.


create


Step 2: Create the DMARC TXT Record

An example of a fundamental DMARC record might be:

_v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-alerts@example.com; pct=100; sp=none;_

In this configuration, the policy is established as "none," indicating it operates in a monitoring capacity at the outset. Reports will be directed to the designated email addresses. This policy is enforced for all emails, covering 100% of them, and similarly, the subdomain policy is also designated as "none."


Step 3: Publish the DMARC Record in Your DNS

After setting up your DMARC record, proceed with these actions to make it live:

  • Access the management interface of your DNS provider.

  • Go to the area designated for handling DNS records.

  • Create a new TXT record.

  • Input _dmarc in the "Host" section.

  • In the "Value" section, paste your DMARC record.

  • Save the modifications and wait for the DNS changes to propagate.

Step 4: Monitor DMARC Reports

Once you've set up the DMARC record, keep an eye on the reports that are sent to your specified email accounts. These insights will allow you to see how your domain is utilized and pinpoint any unauthorized email actions.


Step 5: Enforce a Strict DMARC Policy

After reviewing your reports and confirming that valid emails are properly authenticated, you can transition from a "none" policy to a more stringent approach:

By setting p=quarantine, you will redirect unauthenticated emails to the spam folder, whereas p=reject will prevent them from being delivered altogether.


Common DMARC Configuration Mistakes to Avoid


1. Skipping SPF and DKIM Configuration

DMARC depends on the authentication methods of SPF and DKIM. If these are not configured properly, DMARC will not work as intended. To ensure proper functionality:

  • Make sure SPF includes a precise list of permitted senders.

  • Activate DKIM and ensure that your emails are correctly signed.

2. Using an Incorrect Policy Setting

One frequent error is to instantly configure p=reject without prior testing, leading to the accidental rejection of valid emails. To prevent this, begin with p=none, thoroughly analyze the DMARC reports to spot any authentication problems, and then progressively move towards a more stringent policy.


3. Not Specifying Report Recipients (RUA and RUF)

If you don't include rua and Ruf, you won't get important DMARC reports, which will complicate your ability to evaluate how well your policy is working.



create


4. Incorrect TXT Record Formatting

Make sure that:

  • The record begins with _v=DMARC1;_.

  • Tags are divided by semicolons.

  • Avoid any extra spaces or errors.

5. Ignoring Subdomain Policies

DMARC is initially set to affect only the main domain. If you have subdomains, you should establish a policy that specifies either sp=quarantine or sp=reject.


6. Overlooking DNS Propagation Time

Once you have published the DMARC record, be sure to wait for DNS propagation, which may take as long as 48 hours, before conducting any tests.


7. Setting pct=0 or pct=<low value> Without Realizing Its Impact

The pct tag determines the proportion of emails that the DMARC policy impacts. Setting it to 0 indicates that no emails will be filtered, thus making the policy useless. Click the link to find out more.