DMARC stands for Domain-based message authentication, reporting and conformance. DMARC is not a product but it is a freely available technical specification. DMARC tells the recipeient's SMTP server to allow, reject or quarantine when SPF and DKIM verification is not valid.
Create DMARC Record
Go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following:
v=DMARC1; p=none; pct=100; rua=mailto:dmarc-reports@example1.comv=DMARC1: The protocol version is DMARC1.p=none: We choose none as thepolicyfor our domain.pct=100: The percentage of emails from your domain DMARC applies to.ruaStands for reporting URI for aggregate report. The email address is used to tell receiving email servers where report should be sent.
CAREFUL: Replace dmarc-reports@example1.com with your real email address that is used to receive aggregate DMARC report.
There are 3 policies you can choose from:
none: Tells receiving email servers not to do anything special if DMARC check fails.quarantine: Tells receiving email server to put the email into quarantine if DMARC check fails. It must be approved by an admin before it can reach the recipient’s inbox.reject: Tells receiving email servers to reject the email if DMARC check fails.
There’s another tag that you can add to the DMARC record: fo. It has four possible values:
0(default): Generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result.1: Generate reports if any mechanisms fail.d: Generate a report if DKIM signature failed verification.s: Generate a report if SPF failed.
For example, you can set fo:1 to receive a report if any mechanism fails:
v=DMARC1; p=none; pct=100; fo=1; rua=mailto:dmarck-reports@example1.comOnce the DMARC record is added, test it by querying the DNS server:
dig txt +short _dmarc.example1.comOr by using the opendmarc utility which will produce formatted text:
opendmarc-check example1.com