Feb132023
DNS

What Is a DMARC Record and How to Create One

Do you want to create a DMARC record?

A DMARC record provides important instructions for how failing messages should be handled by mailing servers.

In this article, we’ll explain what a DMARC record is with examples, and show you how to create one.

What Is a DMARC Record?

A DMARC record is a TXT record that defines your DMARC rulesets. In simpler words, the DMARC record instructs email receivers what it should do if a message fails to deliver due to email authentication issues.

Using DMARC records, you can control if the mailing server should reject, quarantine, or do nothing with a message that has failed authentication.

It’s important to create DMARC record because it helps you combat cyberthreats like phishing, spoofing, and CEO fraud originating from unauthorized email domains. This is why we strongly recommend creating a DMARC record to ensure better email security.

DMARC Record Example

A typical DMARC record contains at least three important components (or tag-value pairs). Consider this example record:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Here, we have three tags: v, p, and rua which have the values DMARC1none, and mailto:dmarc@yourdomain.com.

The v tag specifies the version of DMARC, the p tag is the policy (or the action to perform if email fails DMARC checks), and the rua tag is the email address where you want to receive DMARC aggregate reports at.

In the example above, the p tag has the value reject. In other words, the policy defined here is to reject a message when a message fails authentication. Here’s  what the 3 different DMARC policies mean:

  • None: No action is taken for messages failing DMARC, but aggregate reports will still be sent to you so you can monitor what’s happening to your emails.
  • Quarantine: Messages failing DMARC checks are put in the junk folder of the receivers.
  • Reject: All email messages failing authentication are completely rejected, never reaching your recipient.

There are various other option tags that you can use like pct and ruf. However, for simplicity’s sake, we won’t include these in our examples. You can still set up your DMARC record with just the 3 tags mentioned above.

If you’re using WP Mail SMTP to handle your WordPress emails, it’ll tell you if DMARC isn’t set up correctly on your domain. You might also see an error like ‘No DMARC Record Found’.

The steps below will help you to resolve the issue.

How to Add a DMARC Record

Let’s step through the process of setting up a DMARC record on your domain.

1. Check Your DNS With a DMARC Analyzer

If you’re not sure whether you have DMARC set up on your site, you can use a DMARC checker like MXToolbox to scan your DNS records.

Type your domain name into the field and click DMARC Lookup.

If you don’t have DMARC set up, the DMARC analyzer will show a failure message.

. Add a DMARC Record Using Our Example

Now we’re going to edit the DNS for your domain and add a DMARC record.

DNS is a set of instructions that tell servers where to find your site content, email mailbox, and more. To edit your DNS, you (or the domain owner) need to log in to the provider handling the DNS zone for your domain.

If you’re not sure where it is, you can try:

  • Your web hosting control panel: If you purchased your domain and hosting as a package, your DNS is probably handled by your web hosting company. You’ll want to log into your hosting control panel and look for a menu called DNS or DNS Zone.
  • Your DNS registrar: If you purchased your domain by itself, the DNS is probably managed by the company you bought it from.
  • Your CDN provider: If you’re using a CDN like Cloudflare, your DNS records will be hosted within the CDN settings.

In this example, we’ll show you how to create a DMARC record in Cloudflare.

The steps are very similar for other domain registrars or hosts, including:

  • GoDaddy
  • SiteGround
  • Bluehost

When you open up your DNS, double-check that you don’t already have any DMARC records set up.

You can’t have more than 1 DMARC record in your DNS. But don’t worry: our example record will cover all of the subdomains under your domain, and all of the email addresses you send mail from.

Assuming you don’t, let’s move on and add a DMARC TXT record.

3. Copy and Paste This DMARC Record

It’s easy to add a DMARC record using this example. There’s no need to use a DMARC generator.

On your registrar’s DNS record screen, click Add record to create a DMARC record. We’ll use Cloudflare in this example.

A DMARC record is a TXT record starting with _dmarc. So in the Type dropdown, select TXT.

In the Name field, type _dmarc. with the period (dot) at the end. Some hosts don’t need the period, so they’ll remove it or show an error. In that case, you can safely use _dmarc without the period.

In the large field in the DNS record, paste in this DMARC record example.

v=DMARC1; p=none; fo=1; rua=mailto:me@example.com

Here’s what this rule does:

  • We’re using p=none because it’s the least restrictive setting. You’ll still get email reports if there’s an issue with your DNS, but it’s unlikely to affect your own emails from being delivered. If you start to get suspicious DMARC reports, you could change this part of the rule to p=quarantine.
  • Be sure to change the rua=mailto: address. It should ideally be set to the email address that your mailer service provides in its documentation. If it doesn’t provide one, you can use an email address at your own domain.
  • In basic terms, the TTL (Time to Live) setting is like an expiration date for your DNS. We recommend leaving the TTL setting on Auto, which is typically 4 hours. The setting isn’t crucial, so you can safely select 24 hours or 14400 if that’s the only option you have.

Some providers may ask for an alignment rule. It’s OK to exclude that since it’s not required for DMARC to work.

So after pasting in the rule, here’s our finished DMARC record:

Save your new DMARC rule to add the new record to your DNS.

If you already had a DMARC rule in your DNS, check the formatting carefully. Pay attention to the Name field; if you use @ or your domain name in the Name field, it won’t work.

Wait For Your DMARC Record to Propagate

Whenever you make changes to your site’s DNS, you’ll need to wait up to 48 hours for the changes to take effect. If you’re using Cloudflare, you’ll usually find that the changes take place within a few minutes.

When the change has propagated, go back to a web-based DMARC checker like MXToolbox. Check again using its DMARC tool.

Your DMARC rule should show up in a green bar so that you know it’s working.

You can also use WP Mail SMTP to send another test email from WordPress. This will automatically run a fresh check on your DNS and look for your DMARC record.

If you added everything correctly, you’ll now see a pass message like this:

And that’s it! Now you added a DMARC record to your DNS.

Category: DNS