Learning how to generate and add a DMARC record to DNS helps fortify phishing and spoofing attacks. DMARC is short for Domain-based Message Authentication Reporting and Conformance, a protocol designed to help recipients’ mail servers identify genuine and suspicious emails.
Steps to Add DMARC Record at Your DNS Provider
Here’s a basic template of the process. The actual process may vary slightly depending on what DNS provider you choose. Consider tailoring them as per your company and domain’s email security policies, requirements, and expectations. Also, ensure you have already created and published SPF and DKIM records before focusing on how to add a DMARC record to DNS.
1. Visit Your DNS Hosting Provider and Look for an Option to Create a Record
Visit your DNS provider’s platform and log in to search for a prompt allowing you to create a new DMARC record.
Then, find the ‘host/name,’ ‘record type,’ and ‘value’ fields for the forthcoming steps.
2. Select the Record Type as ‘TXT’
There will be a list of DNS record types from where you have to choose the TXT-text record type.
3. Add Host Value
In this section, you will input the value _DMARC, which will be automatically appended by the hosting provider as per the domain or subdomain.
When adding a DMARC record for a subdomain, it is common to input the value as _dmarc.subdomain. in the designated field. The provider will typically append the domain to the end of this value in the below-displayed format:
4. Add ‘value’ Information
It’s mandatory for your DMARC record to have the ‘v’ (version) and ‘p’ (policy) tags. The value of the ‘v’ tag is always v=DMARC1, as there is only one version of DMARC as of now.
The ‘p’ value is denoted as p=x, where x can be none, quarantine, or reject. We suggest you to start with the monitoring policy, that is p=none, and gradually advance it to the quarantine policy and finally to the reject policy. The use of pct or percentage tag is encouraged to avoid disruptions and instances of false positives.
Although it’s entirely optional to add value for rua and ruf tags, they are highly recommended by experts as they allow you to start receiving insightful reports. Once the values are added, your record value will look something like this-
v=DMARC1; p=quarantine; rua=mailto:email@example.com
Image Sourced from fluentsmtp.com
Once your record looks somewhat like what’s mentioned above, hit the save or submit button to produce a DMARC record for your domain.
6. Verify DMARC Record
After adding the DMARC record, it’s a good practice to verify its existence. You can use online DMARC record lookup tools to confirm that the record has been published correctly.
7. Monitor DMARC RUA and RUF Reports
DMARC RUA reports provide valuable insights into email authentication results by giving details about legitimate and potentially fraudulent email activity related to your domain. Analyzing these reports helps identify potential vulnerabilities, track the effectiveness of your email authentication measures, and refine your DMARC policy.
On the other hand, RUF reports offer forensic details about failed authentication attempts that aid in the investigation of suspicious activities. Continuous monitoring of these reports empowers organizations to proactively address security issues, prevent phishing attempts, and ensure the integrity of their email communication, contributing to a more robust defense against cyber threats.
Common DMARC Tags
The following DMARC tags help in making a record more informative and comprehensive for recipients’ mail servers.
|v (version tag)
|Specifies the DMARC version being used. The current version is “DMARC1.”
|p (policy tag)
|Defines the policy for email handling. It can be set to “none” (take no action), “quarantine” (mark as spam or quarantine), or “reject” (reject the message).
|rua (Aggregate Report URI)
|Indicates the email address to which aggregate (summary) reports should be sent. These reports provide statistics on email authentication results.
|ruf (Forensic Report URI)
|Specifies the email address to which forensic (detailed) reports are sent in the event of a DMARC failure. DMARC Forensic reports provide detailed information about failed authentication attempts.
|sp (Subdomain Policy)
|Specifies the policy to be applied to subdomains. It can be set to “none,” “quarantine,” or “reject.”
|adkim (Alignment Mode for DKIM)
|Sets the alignment mode for DKIM. It can be “r” (relaxed) or “s” (strict).
|aspf (Alignment Mode for SPF)
|Determines the alignment mode for SPF. It can be “r” (relaxed) or “s” (strict).
|Specifies the percentage of messages to which the DMARC policy is to be applied. This is useful for gradually enforcing the policy.
|rf (Report Format)
|Defines the format of the feedback reports. It can be “afrf” (Authentication Failure Reporting Format) or “iodef” (Incident Object Description Exchange Format).
We know it can be overwhelming to receive and manage so many DMARC reports. Moreover, their original XML format is difficult to understand, and that’s why we support our customers with simplified versions. Contact us today to understand how we can help you with DMARC monitoring and reporting.