We suggest you set up a Domain-based Message Authentication Reporting and Conformance (DMARC) record to monitor your domains. DMARC helps monitor for both fraudulent email that may hurt your brand, as well as legitimate traffic for Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication performance.
For help creating a DMARC record, use Kitterman's DMARC Record Assistant.
Steps to set up and implement a DMARC record
Here are the steps you need to take to implement a DMARC record:
- Contact your company's Domain Name System (DNS) administrator.
- Ask your DNS administrator to create a TXT record in DNS for _dmarc.[your-domain] with your DMARC record.
- Use the following syntax in the DMARC TXT record:
- v=DMARC1; p=none; fo=1; rua=mailto:enter your email address; ruf=mailto:enter your email address
- For example:
- v=DMARC1; p=none; fo=1; rua=mailto:dmarc_rua@auth.sampledomain.net; ruf=mailto:dmarc_ruf@auth.sampledomain.net
- Be sure to enter your email addresses after "mailto:". These addresses are where the reports are sent.
- If you are working with an ESP or other third party who will receive the DMARC reports on your behalf, ask your account representative which email addresses you should use.
- For example:
- This is the suggested record for when you first implement DMARC.
- v=DMARC1 indicates the protocol version.
- The suggested DMARC record above includes a monitor policy (p=none). This means that you are not instructing mailbox providers to take any action with your email that fails authentication.
- fo lets mailbox providers know you want message samples of emails that failed either SPF and/or DKIM. For the value:
- Use 0 to receive a report if both SPF and DKIM fail. (default)
- Use 1 to receive a report if either SPF or DKIM fail. (recommended)
- rua contains the address where you want to receive aggregate reports.
- ruf contains the address where you want to receive forensic reports.
- To begin receiving DMARC reports without impacting your current email program, we suggest publishing the record with p=none.
- Make sure you have at least an A record, Mail Exchange (MX) record, or AAAA record in the DNS for the domain if you plan on using it to send email.
After you implement DMARC, we recommend that you monitor your domains for at least 30 days. This can help you make sure that your own legitimate email is authenticating correctly before you decide to implement a reject (p=reject) or quarantine (p=quarantine) policy.
Reporting destination information
DMARC supports the ability to send reports to multiple destination addresses. However, you should avoid using more than two different destinations as many mailbox providers do not send reports to more than two.
In the case that multiple email addresses are needed for DMARC reports, each destination must be outlined within the RUA and RUF statement blocks in the DMARC record. Additionally, each destination needs to be delineated with a comma within the RUA and RUF blocks.
Note: Do not list multiple RUA and RUF statements otherwise your DMARC record will be considered incorrect and reports will not be generated.
Correct DMARC record example with multiple reporting destinations:
- v=DMARC1; p=none; fo=1; rua=mailto:dmarc_agg@auth.sampledomain.net,mailto:dmarc_aggdata@exampledestination.com; ruf=mailto:dmarc_afrf@auth.sampledomain.net,mailto:dmarc_forensic@exampledestination.com
Incorrect DMARC record example with multiple reporting destinations:
- v=DMARC1; p=none; fo=1; rua=mailto:dmarc_agg@auth.sampledomain.net, rua=mailto:dmarc_aggdata@exampledestination.com;
ruf=mailto:dmarc_afrf@auth.sampledomain.net, ruf=mailto:dmarc_forensic@exampledestination.com