1. FMG Knowledge Base
  2. Advanced
  3. DNS and Email Authentication

DMARC Overview

Learn what DMARC is, why it’s important, and how to implement it

What is DMARC?

DMARC, which stands for Domain-based Message Authentication, Reporting & Conformance, is an email validation system that safeguards your organization's email domain against phishing scams and other cyber threats. It allows you to specify the actions to be taken when emails from your domain fail authentication checks.

How Does DMARC Work?

DMARC builds on two existing mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), which are used to associate a piece of email with a domain.

  • SPF: Allows senders to specify which IP addresses are permitted to send emails on behalf of a particular domain.
  • DKIM: Adds a digital signature to an email's header, which recipients can verify.

If an email passes the SPF or DKIM check and the domain in the email header aligns with the domain in the SPF or DKIM record, the DMARC check is successful. However, passing these checks does not guarantee email delivery, as other factors like recipient preferences and spam filters may still affect the final delivery.

For more information on SPF verification for email delivery, please refer to the article: SPF Verification for Email Delivery.


Why is DMARC Important?

DMARC helps protect email senders and recipients from spam, phishing, and spoofing attacks. By implementing DMARC, you can:

  • Brand Protection: A properly configured DMARC policy prevents unauthorized parties from sending emails from your domain.
  • Email Traffic Monitoring: Enables you to review email traffic sent from or on behalf of your domain, helping maintain your reputation.
  • Improved Email Deliverability: Helps receiving servers verify if an email aligns with the sender's known information.

Remember, setting up a DMARC record for your domain is crucial to improving your email security and deliverability. However, it can be complex to configure and utilize to its full potential. If you haven't done so already, we recommend that you prepare for future sending requirements and look into best practices for implementing this increasing standard.

How do I add a DMARC Record?

Note: If your organization has an internal IT department, it is recommended to consult them to ensure the proper configuration of DMARC.


Adding a DMARC record can differ based on your DNS provider. The most basic configuration, which currently meets the basic requirements of Google and Yahoo, involves adding a single TXT record with the following value:

RECORD TYPE     HOSTNAME    VALUE   
TXT   _dmarc    v=DMARC1; p=none; 

 

Some DNS providers require the addition of the domain name into the hostname. Using yourdomain.com as an example domain, the single record to add would be:

RECORD TYPE HOSTNAME     VALUE  
TXT  _dmarc.mydomain.com  v=DMARC1; p=none; 

 

Here is a step-by-step guide on how to add a DMARC record:

  1. Log in to your DNS provider: This could be the company where you registered your domain name or your hosting provider.
  2. Find the DNS management area: This is usually labeled as 'DNS Settings,' 'DNS Management,' 'Advanced Settings,' or something similar.
  3. Create a new record: Look for an option to add a new record. The type of record you want to create is a 'TXT' record.
  4. Enter the Hostname: In the field for the name or host, enter _dmarc. Some DNS providers require adding the domain name, so you may need to enter _dmarc.yourdomain.com (replace 'yourdomain.com' with your actual domain name).
  5. Enter the Value: In the value or content field, enter v=DMARC1; p=none;
  6. Save the record: Once you've entered these details, save the new record.
  7. Wait for the changes to propagate: DNS changes can take up to 72 hours to propagate throughout the internet, although it's often much quicker.
  8. Verify the record: You can use online DMARC record check tools to verify that your DMARC record is published correctly. Please note that this is the basic DMARC functionality to meet Google and Yahoo’s current requirements to continue sending. At this time, additional DMARC configurations are not necessary and would require continued active steps with each send that are beyond most sending requirements.

Additional Resources

For further information on DMARC, you can refer to the following Google resources:

To learn more about how DNS, SPF, DKIM, and DMARC work together to secure your email communications, please refer to our Understanding Email Authentication article.