Skip to main content

How to build a DMARC record

Donell Cox
  • Updated

Question

How do you build a DMARC record?

 

Answer

DMARC records work with SPF and DKIM records to help ensure messages accepted by a server are from a legitimate source. This is done by setting a policy for how recipient servers should handle emails that do not match the DMARC record settings. This article is a basic guide on how to craft a DMARC record by breaking down its components.

CONFIG_TEXT: $hostname $TTL $class $recordtype "$recordtext"

Note: DMARC records are "all-for-one" in that they apply to all subdomains for the domain unless a DMARC record exists for that specific subdomain.

Note: In the following procedure, "$domain.tld" must be replaced with the domain name for which the DMARC record will be created.

  1. The "$hostname" field of the DMARC record must begin with _dmarc, even if the record is for a subdomain.

    CONFIG_TEXT: _dmarc.$domain.tld.

    CONFIG_TEXT: _dmarc.subdomain.$domain.tld.

  2. "$TTL" is the record's time-to-live value, which should be between 1800 and 3600 seconds.

  3. The "$class" field must be IN.

    Note: The value of this field is always IN, and many DNS editors, including cPanel's, omit this field in the UI and automatically add it to the finished record.

  4. The "$recordtype" field must be TXT since the DMARC record is a text record.
  5. The "$recordtext" field contains multiple tags, with the "v" and "p" tags being the only required ones.

    • The "v" tag is the protocol version, which is currently DMARC1.

      CONFIG_TEXT: v=DMARC1;

    • The "p" tag is the handling policy and may have the value none, quarantine, or reject.

      CONFIG_TEXT: p=quarantine;

    • The "pct" tag is the percentage of messages that failed DMARC to apply the handling policy to. It should be set to 100 once all testing of the record has been completed.

      CONFIG_TEXT: pct=100;

    • The "aspf" tag specifies if the SPF alignment check should be relaxed or strict.

      CONFIG_TEXT: aspf=r;

    • The "adkim" tag specifies if the DKIM alignment check should be relaxed or strict.

      CONFIG_TEXT: adkim=r

  6. Once you determine each field's value, the final record can be assembled.

    CONFIG_TEXT: _dmarc.domain.tld. 3600 IN TXT "v=DMARC1; p=quarantine; pct=100; aspf=r; adkim=r"

Note: The DMARC record must be placed on the domain's authoritative nameservers.

 

Additional Resources

What is the syntax for SPF records?

How do I verify my SPF records are working?

How to view your SPF and DKIM records in the WHM interface

How to view your SPF and DKIM records in the cPanel interface

How to verify DKIM records are working

Related articles

Comments

0 comments

Article is closed for comments.