DNS DMARC Record

What is a DMARC Record?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that builds on SPF and DKIM to protect domains against email spoofing and phishing. A DMARC record is published as a DNS TXT record at the _dmarc subdomain (e.g., _dmarc.example.com) and tells receiving mail servers what to do when an email fails SPF and DKIM checks.

DMARC works by requiring alignment between the domain in the email's From header and the domains authenticated by SPF and DKIM. Without DMARC, an attacker could send an email with a forged From address even if SPF and DKIM are configured, because those protocols alone don't enforce From-header alignment. DMARC closes this gap by specifying a policy (none, quarantine, or reject) that receivers should apply to unauthenticated messages.

The three DMARC policies are: 'none' (monitor mode — deliver the email but send reports), 'quarantine' (mark as spam or move to junk), and 'reject' (refuse delivery entirely). Organizations typically start with 'none' to monitor their email flows and identify legitimate senders, then gradually move to 'quarantine' and finally 'reject' once all authorized sources are properly configured with SPF and DKIM.

Syntax & Examples

A DMARC record is a TXT record at the _dmarc subdomain:

_dmarc.example.com.    3600    IN    TXT    "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=s; aspf=s; pct=100"

Key tags: v=DMARC1 (version, required), p= (policy: none/quarantine/reject, required), rua= (aggregate report URI), ruf= (forensic report URI), adkim= (DKIM alignment: s=strict, r=relaxed), aspf= (SPF alignment: s=strict, r=relaxed), pct= (percentage of messages to apply policy to). A basic monitoring-only record:

_dmarc.example.com.    3600    IN    TXT    "v=DMARC1; p=none; rua=mailto:[email protected]"

How to Query DMARC Records

To query DMARC records using dig, run: dig _dmarc.example.com TXT. For concise output: dig +short _dmarc.example.com TXT. Since DMARC records are TXT records at the _dmarc subdomain, you must include the _dmarc prefix. The output will show the full DMARC policy string starting with v=DMARC1.

With nslookup, use: nslookup -type=TXT _dmarc.example.com. On Windows PowerShell: Resolve-DnsName -Name _dmarc.example.com -Type TXT. To analyze DMARC reports, you'll need a report parsing service or tool, as the XML aggregate reports can be complex. Services like Valimail, DMARC Analyzer, and dmarcian can process these reports and provide actionable dashboards.

Related Record Types

Frequently Asked Questions

What is a DMARC record?

A DMARC record is a DNS TXT record published at _dmarc.yourdomain.com that specifies your email authentication policy. It tells receiving mail servers how to handle emails that fail SPF and DKIM alignment checks, and where to send authentication reports. DMARC protects your domain from being spoofed in phishing attacks.

What are the three DMARC policies?

The three DMARC policies are: 'none' (monitoring only — deliver emails but send reports), 'quarantine' (treat failing emails as suspicious, typically moving them to spam), and 'reject' (refuse delivery of failing emails entirely). Start with 'none' to avoid blocking legitimate mail while gathering data.

How does DMARC relate to SPF and DKIM?

DMARC builds on SPF and DKIM by adding the concept of alignment. SPF verifies the envelope sender's domain, DKIM verifies a cryptographic signature, but neither checks the visible From header. DMARC requires that the domain in the From header aligns with (matches) the domain verified by SPF or DKIM.

What is DMARC alignment?

DMARC alignment ensures the domain in the email's visible From header matches the domain authenticated by SPF (envelope sender) or DKIM (signing domain). Alignment can be strict (exact match) or relaxed (organizational domain match). For example, with relaxed alignment, mail.example.com aligns with example.com.

How do I read DMARC aggregate reports?

DMARC aggregate reports are XML files sent to the address specified in the rua tag. They contain data about email volumes, authentication results, and sending sources. Use a DMARC report analyzer service (like dmarcian, Valimail, or DMARC Analyzer) to parse these reports into readable dashboards rather than reading raw XML.