A DMARC record is where DMARC rule sets are defined. It is a security protocol that will prevent fraudulent entities from misusing your domain to send emails. This record informs the recipients mail server whether a domain is set up to use DMARC. DMARC record generator tool TDMARC helps in setting up these records that contain DMARC policies and should be placed within your DNS.
Tags used in DMARC TXT record
DMARC tags help email receivers to check for DMARC and handle messages that fail the DMARC authentication. Following are the tags that are used in the TXT record.
Mandatory Tags
v: Identifies the record as a DMARC record. Must always be v=DMARC1.
p: Defines the policy for the domain when an email fails DMARC checks. Possible values:
none – Monitor mode; emails are delivered normally.
quarantine – Emails failing DMARC are moved to spam/junk folder.
reject – Emails failing DMARC are rejected by the receiving mail server.
With the DMARC record generator and analyzer tool TDMARC, these policies can be appropriately set for your email domain. Let’s take a detailed look at these policies.
Optional tags in DMARC TXT record
rua: mailto:address@company.com: This tag allows mailbox providers to know where exactly you want the aggregate reports to be sent. These reports contain higher-level information and help in identifying potential authentication issues or malicious activities that can harm the email domain.
fo: Forensic reporting options. Values indicate which failures generate reports (0, 1, d, s)
0 – Report if both SPF and DKIM fail
1 – Report if either SPF or DKIM fails
d – DKIM failures only
s – SPF failures only
sp: This indicates a requested policy for all subdomains when an email fails the DMARC authentication and alignment checks. This tag is very effective when the domain owner wants to specify different policies for primary domain and subdomains. If the sp tag is not specified, subdomains inherit the policy defined by the p tag.
adkim: DKIM alignment (r=relaxed, s=strict, default=r)
aspf : SPF alignment (r=relaxed, s=strict, default=r)
pct: Percentage of messages to which the DMARC policy is applied.
ruf: mailto:address@company.com: It allows mailbox providers to know where you want your forensic reports to be delivered. These reports are detailed and are to be delivered almost immediately once DMARC authentication failure has been detected. However, most of the mailbox providers do not send them due to privacy and performance concerns.
rf: It provides a format for forensic reports.
ri: The ri tag corresponds to the aggregate reporting interval and provides DMARC feedback for outlined criteria. Participating mailbox providers that can send more than one aggregate report in a day will provide more frequent reports.
With the DMARC record generator and analyzer tool TDMARC, organizations can ensure that the DMARC record is properly set up for their email domain as well as a check DMARC record. This will ensure that any attempt to misuse the domain is effectively prevented.