How to Set up a DMARC Record
A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record assists email servers in differentiating between legitimate emails and fake ones. This helps to prevent third parties from sending emails that appear to have been sent by your organization, thereby reducing cyber threats such as email spoofing, phishing, and CEO fraud.
Email service provider industry leaders are now requiring DMARC and accurate SPF records to safeguard their customers. For WorkWave to successfully send emails on your behalf, there are certain steps that you must complete. These steps will demonstrate to email providers that your emails are secure and legitimate, thereby improving the chances of your emails reaching your customers.
- For more on SPF records, visit How to Set up an SPF Record.
A company’s DNS administrator can set up a DMARC record. WorkWave can not access your DNS to make these changes on your behalf.
There are free online tools, such as mxtoolbox.com, that can be used to check a domain's DNS records. Note that WorkWave is not affiliated with these tools.
To set up a DMARC record, the administrator must have access to the domain.
Follow these steps to add a DMARC record to a domain:
Note: Search your DNS provider’s help information for exact steps.
- Navigate to your DNS hosting provider and create a record.
- Select TXT DNS record type.
- Add the host value ‘_DMARC’.
- If the DNS provider does not automatically append your domain name, adjust the host value to include your domain. For example: “_dmarc.domain.com”.
- Create your DMARC record and add it to the DNS TXT value.
- A typical DMARC record contains at least three important components (or tag-value pairs): v tag, the p tag, and the rua tag.
- v tag - specifies the version of DMARC. The only tag-value pair for "v" is v=DMARC1.
- p tag - is the policy (or the action to perform if email fails DMARC checks). For the "p" tag pair, "p=" can be paired with none, quarantine, or reject. As tag-value pairs, they look like p=none or p=quarantine or p=reject. (See DMARC policies below for more information.)
- rua tag - is the email address where DMARC reports will be sent. This could be your hosting company’s email address, your registrar’s email address, or your own.
- Here is an example of a finished value:: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
- Note: Using WorkWave as an example domain, the value would look like this: “v=DMARC1; p=none;rua=mailto:dmarc@workwave.com”.
- A typical DMARC record contains at least three important components (or tag-value pairs): v tag, the p tag, and the rua tag.
- Select the save/ submit button and verify your DMARC record has been added correctly to your DNS.
DMARC Policies (The “p” Tag)
The p tag is the policy (or the action to perform if the email fails DMARC checks). Here is what each p tag (“p=” means):
- None: No action is taken for messages failing DMARC, but reports will still be sent to you so you can monitor what’s happening to your emails. You may get a ‘DMARC policy not enabled’ error if the policy is set to none.
- Quarantine: Messages failing DMARC checks are put in the junk folder of the receivers.
- Reject: All email messages failing authentication are completely rejected, never reaching your recipient. In other words, the policy defined here is to reject a message when a message fails authentication.