A DMARC record is where DMARC rule sets are defined. It is a security protocol that will prevent fraudulent entities from misusing your domain to send emails. This record informs Internet service providers whether a domain is set up to use DMARC. DMARC record generator tool KDMARC helps in setting up these records that contain DMARC policies and should be placed within your DNS.

Tags used in DMARC TXT record

DMARC tags help email receivers to check for DMARC and handle messages that fail the DMARC authentication. Following are the tags that are used in the TXT record.

Mandatory tags in DMARC TXT record

v: This tag identifies the record that has been retrieved as a DMARC record. This tag must be first listed in DMARC record and its value must be DMARC1.

p: ‘p’ tag indicates that the requested policy that your mailbox providers should apply when an email fails the DMARC authentication and alignment checks.

• none: Your internet service provider will not do anything with unaligned emails and will be received within the inbox. This is also referred to as the monitoring mode. One can analyze the DMARC report and know exactly who has been using your domain to send emails on your behalf.
• Quarantine: ISP will move the unaligned emails in the spam folder. These emails can then be quarantined. The unaligned emails can be analyzed in order to identify if these are genuine or not.
• Reject: All emails that fail the DMARC check will be rejected by the ISP. These email messages will not show up in the receiver’s mailbox. However, this policy needs to be implemented very carefully. Not only it will block all emails sent from domain spoofers but also, it can block legitimate emails from sources that are not on your whitelist.

With the DMARC record generator and analyser tool KDMARC, these policies can be appropriately set for your email domain. Let’s take a detailed look at these policies.

Optional tags in DMARC TXT record

rua: mailto:address@company.com: This tag allows mailbox providers to know where exactly you want the aggregate reports to be sent. These reports contain higher-level information and help in identifying potential authentication issues or malicious activities that can harm the email domain.

fo: This helps the mailbox provider know that you want the samples of emails that have either failed both SPF and DKIM checks or anyone of the two. There are four value options available:

sp: This indicates a requested policy for all subdomains when an email fails the DMARC authentication and alignment checks. This tag is very effective when the domain owner wants to specify different policies for primary domain and subdomains. In case this tag is not used for

subdomains, the policy that has been set using the p tag will apply to the primary domain and its subdomains.

dkim: This tag indicates either a strict or relaxed DKIM identifier alignment. The relaxed alignment is set as default.

spf: It indicates either strict or relaxed SPF identifier alignment. The default alignment is relaxed.

pct: This tag allows the gradual implementation of the policy and to test its impact.

ruf: mailto:address@company.com: It allows mailbox providers to know where you want your forensic reports to be delivered. These reports are detailed and are to be delivered almost immediately once DMARC authentication failure has been detected. However, most of the mailbox providers do not send them due to privacy and performance concerns.

rf: It provides a format for forensic reports.

ri: The ri tag corresponds to the aggregate reporting interval and provides DMARC feedback for outlined criteria. Participating mailbox providers that can send more than one aggregate report in a day will provide more frequent reports.

With the DMARC record generator and analyzer tool KDMARC, organizations can ensure that the DMARC record is properly set up for their email domain as well as a check DMARC record. This will ensure that any attempt to misuse the domain is effectively prevented.