Skip to content

What is DMARC and how to set it up

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a security protocol in email communication that helps protect against fraudulent emails and phishing. It mainly serves to:

  • Verification of authenticity of email senders
  • Protection against forgery of email addresses
  • Setting rules for handling suspicious messages

It works by extending the two previous authentication protocols ( SPF and DKIM) and allowing the domain owner to:

  • Define how emails that fail authentication should be processed
  • Set whether such emails should be rejected, placed in spam or accepted
  • Get reports on domain abuse attempts

DMARC thus significantly increases the security of electronic communications by preventing fraudsters from abusing corporate or organizational domains.

The structure of a DMARC record consists of several key parameters:

Protocol version:

  • Always starts with v=DMARC1

Policy for domains (p):

  • p=none - no action
  • p=quarantine - quarantine suspicious emails
  • p=reject - complete rejection of suspicious emails

Subdomain Policy (sp):

  • Allows you to set a specific policy for subdomains
  • Values ​​same as for parameter p

Reporting (rua):

  • Defines the email address for sending summary reports about authentication
  • Example: rua=mailto:dmarc-reports@domain.tld

Evaluation percentage (pct):

  • Specifies the percentage of messages to which DMARC rules are applied
  • Range 0-100

Example of a complete DMARC DNS record:

Name Type Content
_dmarc.domain.tld TXT v=DMARC1; p=reject; rua=mailto:dmarc-reports@domain.tld; pct=100

Initial phase - monitoring:

  • Set policy p=none
  • Turn on reporting
  • Analyze incoming reports
  • Identify legitimate senders

Transition phase - quarantine:

  • Change to p=quarantine
  • Gradually limit suspicious emails
  • Verify that legitimate senders are not blocked

Final phase - strict protection:

  • Set p=reject
  • Completely reject fake emails

Key recommendations:

  • Proceed slowly
  • Evaluate reports carefully
  • Regularly verify the settings of all email services

It is ideal to first set the policy to none and monitor reports for at least 30-60 days before taking further steps.