DMARC records - catalyst2

Call Us 0800 107 7979

Service Status

Back to knowledgebase

Last updated: 5 April 2021

DMARC is short for Domain-based Message Authentication, Reporting and Conformance. As the name suggests, DMARC records enable a few different things:

Tell receiving mail servers what to do with an email if the SPF and/or DKIM checks fail.
Check if the domain the email was sent from is the same domain shown in the email’s ‘From’ header.
Make it possible to receive reports on email deliveries and failures.

Put simply, you can think of a DMARC record as a DNS record that extends the functionality of SPF and DKIM records. One problem with SPF and DKIM records is that receiving mail servers don’t know what you want them to do if one or more checks fail. DMARC solves that issue, as the record tells receiving servers exactly what should happen. And because you define the rules you have control over how receiving servers deal with SPF and/or DKIM failures.

At the same time you – the sender – can receive reports on email deliveries and failures. Although most people don’t use the reporting option, it is useful to be able to monitor outgoing emails.

Adding a DMARC record.

You can add a DMARC record via cPanel:

Select the Zone Editor
Click on the Manage link for your domain
Click on the drop-down arrow to the right of the Add Record button and select Add DMARC Record

Image: Adding a DMARC record via cPanel’s.

The Zone Editor automatically creates a name for the new record (here _dmarc.example.net.), and for the record’s value it suggests using the None policy. Which brings us to the first DMARC element…

DMARC Policies

A DMARC policy tells receiving mail servers what they should do with an email if the SPF or DKIM check fails. There are three options:

None tells the server to accept the email. This option is also known as the reporting only policy.
Quarantine tells the server to quarantine the email. In practice, this usually means that the email is delivered to the recipient’s junk folder.
Reject tells the server to not deliver the email to the recipient.

It might seem odd that None is the default policy. There is a good reason for that though. Because DMARC can report on email deliveries you can first set the policy to None and then check the reports to see if any genuine emails would have been rejected. In other words, you don’t have to dive in head-first. Instead, you can first create a basic DMARC record and then gradually tweak the policy.

If your SPF and DKIM records have been set up correctly there shouldn’t be any accidental email rejections. However, there are many edge cases (such as the issue that SPF often doesn’t work well with email forwarding). It is therefore recommended to start with the None policy, and to only switch to a stricter policy when the email reports show there are no issues.

Other DMARC options

DMARC has a lot more options than just the policy. You can click on the Optional Parameters link to view all options.

Image: The DMARC options shown in cPanel’s Zone Editor.

Most of the default options are sensible choices and you probably want to keep them as they are. The only exceptions are the Send Aggregate Mail Reports To and Send Failure Reports To options. You can use these options to get information about emails sent from your domain. I will discuss these two options first and then briefly explain the other optional parameters.

Report email address

As said, when you use DMARC you can choose to receive aggregate reports and/or failure reports.

Aggregate reports contain information about the domain that was used to sent email, the sender’s IP address and the number of emails that were sent.
Failure reports are also known as forensic reports and include additional information, such as header information (the ‘From’, ‘To’ and ‘Subject’ fields). These reports are only generated when an email fails the DMARC checks.

By default the two parameters are blank, which means that no reports are sent. If you want to receive either or both reports then you can enter one or more email addresses in the Send Reports To fields.

Note that you should enter the email address in the format ‘mailto:<email-address>’. For instance, if you want to receive reports at mail@example.com then you enter the email address as ‘mailo:mail@example.net’.

See the DMARC reports page for more information about the reports.

Subdomain policy

The Subdomain policy section has the same options as the Policy section. This section is only relevant if you sent emails from a subdomain such as sales@shop.example.com (here the subdomain is shop.example.com).

DKIM and SPF Mode

DMARC checks if the domain an email was sent from is correct. It does this by checking if the domain shown in the email’s ‘From’ header matches. For instance, when I sent an email from mail@example.net then the domain example.net should show in the ‘From’ header. If the ‘From’ header shows a different domain, say ‘paypal.com’, then it is likely that the email address has been spoofed and that the email is spam.

There are two modes for both DKIM and SPF: Relaxed and Strict:

Relaxed mode accepts emails from either the domain or a subdomain.
Strict mode requires that the domains match exactly.

In Relaxed mode, which is the default option, an email from mail@example.net that has the subdomain shop.example.net in the ‘From’ header would pass. However, the same email doesn’t pass in Strict mode.

Percentage

The Percentage option specifies the percentage of emails from a domain that should be checked by receiving mail servers. This is an optional tag that was added to the DMARC specifications to allow domain owners to gradually roll out DMARC policies. We recommend keeping the default value (100). To test how DMARC affects email delivery it is better to start with the None policy, as discussed above.

When to generate failure reports

The Generate Failure Reports When option specifies if a failure should be reported when all checks fail or when any checks fail. The default option is to only report failures when all checks fail.

Report format

DMARC reports can be sent in one of two formats. AFRF (Authentication Failure Reporting Format) is the most common format and recommended.

Report interval

By default, aggregate reports are sent every day (86,400 seconds), while failure reports are sent in real time. You can change the reporting interval for aggregate reports to a lower value. However, the report interval is likely to be ignored – in all likelihood you will still receive your reports daily.

Featured Blogs

How to Choose a Dedicated Server for UK Businesses

What our clients say

Great real person support – direct phone number, usually the same individual so any problems are handled by the same people. Excellent.

Daniel Chandler, Vindico UK Ltd

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Always Enabled

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_5562310_11	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
_ashkii	session	No description available.
_wicasa	3 months	No description available.
AnalyticsSyncHistory	1 month	No description
cookid	3 months	No description available.
cookietest	session	No description
crisp-client/domain-detect/1644827320973	session	No description
crisp-client/domain-detect/1644827348275	session	No description
crisp-client/domain-detect/1644827428415	session	No description
crisp-client/domain-detect/1644827479357	session	No description
crisp-client/domain-detect/1644827596454	session	No description
crisp-client/domain-detect/1644827724838	session	No description
crisp-client/domain-detect/1644827824383	session	No description
crisp-client/domain-detect/1644827878659	session	No description
crisp-client/domain-detect/1644828716243	session	No description
crisp-client/domain-detect/1644828846246	session	No description
crisp-client/domain-detect/1644829369013	session	No description
crisp-clientsession30cc6953-ebcf-4bc6-b649-c44eb446409e	6 months	No description
dbmFP	3 months	No description available.
dbmPK	3 months	No description available.
li_gc	2 years	No description