How to set up DMARC - CloudInsidr

The relentless onslaught of spam continues to drive mail administrators up the proverbial wall. DMARC, the unofficial successor to SPF (Sender Policy Framework), holds the promise of more email legitimacy, but can it deliver? Here is how you can put DMARC to the test.

Step 1. Verify your DNS configuration

Make sure you have your A/AAA and MX records set up correctly. For IPv4 traffic, your DNS zone needs at least one record of type A pointing to an IPv4 address; for IPv6 traffic, you need at least one record of the type AAA pointing to a valid IPv6 record (currently, the latter one is optional, but this will change).

Step 2. Set up SPF

DMARC relies on Sender Policy Framework (SPF). You will need a valid SPF record to set up DMARC. Make sure it’s one of the type TXT; the type SPF is deprecated. A valid SPF record could look something like this:

"v=spf1 ip4:12.23.34.567 ip4:34.43.24.65 a:smtp.yourdomain.tld a mx ?all"

Increment your SOA serial number, save your changes and wait for your NS servers to catch up. (Your configuration changes may not reflect in testing tools immediately.)

To validate or pre-validate your SPF syntax, head over to of these services:

https://www.dmarcanalyzer.com/spf/checker/

https://vamsoft.com/support/tools/spf-syntax-validator

Step 3. Generate and test your DMARC record

We recommend the DMARC RECORD GENERATOR by MX TOOLBOX available at:

https://mxtoolbox.com/DMARCRecordGenerator.aspx

Make sure you check out all options available in the wizard. Copy the generated record into a text editor and adjust the mailto: options to reflect your desired setup.

Next, test your DMARC record thoroughly. We recommend the DMARC Inspector by DMARcian:

DMARC Inspector

This utility lists all DMARC tags it discovers as well as implicit tags (those that take effect even though you have not declared them) and explains each one in plain English. Another service worth trying is Fraudmarc.

Step 4. Complete your DNS configuration

You can send DMARC reports either to an email address on the same domain (Option A) or on another domain (Option B).

Option A. Send DMARC reports to an email address on the same domain

If you intend to send DMARC reports to an email address on the same domain they are generated for, use the following settings:

label: _dmarc.yourdomain.tld.
type: TXT
alias: no
TTL (in seconds, example value): 300
Value (example value, enter without quotes): "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.tld; ruf=mailto:dmarc@yourdomain.tld; fo=1; adkim=r; aspf=r"

With this setup, emails will be delivered even if they fail DMARC validation.

Select the routing policy and save the record set. Be sure to increment your SOA serial.

You are now ready to validate your DMARC record (see step 5 below).

Option B. Send DMARC reports to an email address on another domain

To send your DMARC reports outside of the domain that generates them, you need to authorize the other domain to receive them. Here is how to do that.

[Option B, step 1.] Create a new record set in the zone that will send DMARC reports

label: _dmarc.domain-that-sends-DMARC-reports.tld.
type: TXT
alias: no
TTL (in seconds, example value): 300
Value (example value, enter without quotes): "v=DMARC1; p=none; rua=mailto:dmarc@domain-that-receives-reports.tld; ruf=mailto:dmarc@yourdomain-that-receives-reports.tld; fo=1; adkim=r; aspf=r"

Select the routing policy and save.

[Option B, step 2.] Create a new record set in the zone that will receive DMARC reports

Open the DNS configuration of the zone that will receive your DMARC reports for yourdomain.tld. Create a new record set using these settings:

label (omit the angle brackets): <domain-that-sends-DMARC-reports.tld>._report._dmarc.<domain-that-receives-reports.tld>.
type: TXT 
alias: no
TTL (in seconds, example value): 300
Value (example value, enter without quotes): "v=DMARC1"

Select the routing policy and save. Be sure to increment your SOA serial.