What Are The Different DMARC Records?

What Are The Different DMARC Records?

A DMARC record is where DMARC rule sets are defined. It is a security protocol that will prevent fraudulent entities from misusing your domain to send emails. This record informs Internet service providers whether a domain is set up to use DMARC. DMARC record generator tool TDMARC helps in setting up these records that contain DMARC policies and should be placed within your DNS.

Tags used in DMARC TXT record

DMARC tags help email receivers to check for DMARC and handle messages that fail the DMARC authentication. Following are the tags that are used in the TXT record.

Mandatory tags in DMARC TXT record

v: This tag identifies the record that has been retrieved as a DMARC record. This tag must be first listed in DMARC record and its value must be DMARC1.

p: ‘p’ tag indicates that the requested policy that your mailbox providers should apply when an email fails the DMARC authentication and alignment checks.

  • none: Your internet service provider will not do anything with unaligned emails and will be received within the inbox. This is also referred to as the monitoring mode. One can analyze the DMARC report and know exactly who has been using your domain to send emails on your behalf.
  • Quarantine: ISP will move the unaligned emails in the spam folder. These emails can then be quarantined. The unaligned emails can be analyzed in order to identify if these are genuine or not.
  • Reject: All emails that fail the DMARC check will be rejected by the ISP. These email messages will not show up in the receiver’s mailbox. However, this policy needs to be implemented very carefully. Not only it will block all emails sent from domain spoofers but also, it can block legitimate emails from sources that are not on your whitelist.

With the DMARC record generator and analyser tool TDMARC, these policies can be appropriately set for your email domain. Let’s take a detailed look at these policies.

Optional tags in DMARC TXT record

rua: mailto:address@company.com: This tag allows mailbox providers to know where exactly you want the aggregate reports to be sent. These reports contain higher-level information and help in identifying potential authentication issues or malicious activities that can harm the email domain.

fo: This helps the mailbox provider know that you want the samples of emails that have either failed both SPF and DKIM checks or anyone of the two. There are four value options available:

sp: This indicates a requested policy for all subdomains when an email fails the DMARC authentication and alignment checks. This tag is very effective when the domain owner wants to specify different policies for primary domain and subdomains. In case this tag is not used for

subdomains, the policy that has been set using the p tag will apply to the primary domain and its subdomains.

dkim: This tag indicates either a strict or relaxed DKIM identifier alignment. The relaxed alignment is set as default.

spf: It indicates either strict or relaxed SPF identifier alignment. The default alignment is relaxed.

pct: This tag allows the gradual implementation of the policy and to test its impact.

ruf: mailto:address@company.com: It allows mailbox providers to know where you want your forensic reports to be delivered. These reports are detailed and are to be delivered almost immediately once DMARC authentication failure has been detected. However, most of the mailbox providers do not send them due to privacy and performance concerns.

rf: It provides a format for forensic reports.

ri: The ri tag corresponds to the aggregate reporting interval and provides DMARC feedback for outlined criteria. Participating mailbox providers that can send more than one aggregate report in a day will provide more frequent reports.

With the DMARC record generator and analyzer tool TDMARC, organizations can ensure that the DMARC record is properly set up for their email domain as well as a check DMARC record. This will ensure that any attempt to misuse the domain is effectively prevented.


    • Related Articles

    • Multiple DMARC Records Issue

      In case you want to know how many DMARC records you can have on a single domain, the only correct answer is ‘ONE’. A domain must not have more than one DMARC record if you want the DMARC processing to work successfully on that domain. A DMARC record ...
    • How Is DMARC Records Different From SPF And DKIM?

      SPF or Sender Policy Framework is a DNS text record that contains a list of servers (users) that should be considered authorized or allowed to send an email on the behalf of that specific domain. Incidentally, the fact that SPF is a DNS entry can ...
    • How do I update my DNS records with the DMARC record given to me in my dashboard?

      A DMARC record is a record where the DMARC rulesets are defined. This informs your email service providers if a domain is set up to use DMARC. Moreover, the records must be placed in your DNS for them to function properly. You can update your records ...
    • What Is DMARC?

      DMARC was introduced in 2012 as an email authentication protocol to reduce the risk of cyber-attacks. It is considered to be an industry standard for email verification to prohibit attacks which are malicious emails sent using a counterfeit address ...
    • DMARC Identifier Alignment

      Identifier alignment forces the domains authenticated by SPF and DKIM to have a relationship to the “header From” domain. Email end users check the from the field in their email clients to tell where an email comes from, SPF doesn’t authenticate the ...