DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a technical protocol for authenticating outbound messages. DMARC serves as the first line of defense against a variety of email-based threats, including phishing and spoofing.
To configure DMARC, you need to create a DMARC record. The created DMARC record is a TXT record that is then published on your DNS. This kicks start your email authentication process. By setting up a DMARC record, you empower domain owners to instruct receivers how they should respond to emails sent from unauthorized or illegitimate sources.
주요 내용
- A DMARC record is a DNS TXT entry that helps authenticate outgoing emails and prevent spoofing and phishing attacks.
- 승인되지 않은 이메일의 처리를 제어하려면 올바른 DMARC 정책을 선택하는 것이 필수적입니다.
- To implement DMARC, the record must be published in the Domain Name System (DNS) using tools such as cPanel, GoDaddy, or Cloudflare.
- Even domains that do not actively send emails should have a restrictive DMARC record, specifically “p=reject”, to prevent potential abuse.
- For optimal results, it is recommended to maintain a single DMARC record per domain and to implement enforcement gradually to avoid email delivery issues.
- Solutions like PowerDMARC automate DMARC record management and simplify monitoring through the use of AI-driven threat intelligence.
DMARC 레코드란 무엇인가요?
A DMARC record is a DNS TXT record that specifies how email servers should handle messages that fail authentication checks (SPF & DKIM). It helps domain owners prevent email spoofing and phishing by instructing recipient servers on whether to reject, quarantine, or allow unauthorized emails.
Key Components of a DMARC Record
1. DMARC Policy Modes
The DMARC policy defines how receivers should handle emails that fail DMARC authentication. It’s denoted by “p”. It can have either of the following three values:
- p=none: To take no action against unauthorized emails.
- p=quarantine: To flag suspicious emails.
- p=reject: To reject unauthorized emails before they reach your recipients.
2. DMARC Reporting Options
- Aggregate Reports (rua=): These are summary reports sent to the specified email address, showing authentication results for all emails from the domain.
- Forensic Reports (ruf=): These are detailed failure reports sent when an email fails DMARC authentication.
3. DMARC Alignment Modes
- SPF Alignment (aspf=): Determines if the sender’s domain in the From: header aligns with the SPF record. There is an option to either strict (s) alignment for an exact match or relaxed (r) alignment for an organizational match.
- DKIM Alignment (adkim=): Determines if the DKIM signature domain aligns with the domain in the From: header. There is an option to either strict (s) alignment for an exact match or relaxed (r) alignment for an organizational match.
How to Create a DMARC Record?
To create a DMARC DNS record for your domain, make sure you have:
a) a reliable tool to generate the record
b) access to your DNS management console to publish the record
Follow the steps given below to create your record:
1. DMARC 레코드 생성
가입하기 을 클릭해 이메일 주소를 사용하여 포털에 액세스하거나 Gmail/Office 365. 분석 도구 > 파워툴박스 > DMARC 레코드 생성기로 이동하여 DMARC 레코드 생성을 시작합니다.
3. DMARC 레코드에 대한 DMARC 정책을 정의합니다.
결정 DMARC 정책 을 원하는 적용 수준(없음, 격리 또는 거부)에 따라 결정합니다. DMARC 기록 정책을 선택하는 방법은 다음과 같습니다:
- If you want no action to be taken against unsolicited emails sent from your domain, choose “none”.
- If you want to quarantine emails that fail DMARC, choose “quarantine”.
- If you want to reject or discard emails that fail authentication, which can minimize spoofing and phishing attacks, choose “reject”.
3. 권장 DMARC 레코드 선택 필드 구성
모든 필드가 필수 필드는 아니지만 DMARC 레코드에 몇 가지 유용한 선택 필드를 구성하는 것이 좋습니다. 어떤 필드들이 있는지 알아보세요:
- Aggregate (rua) reporting field: If you configure the rua field, you will receive DMARC authentication data directly to your email address.
- Forensic (ruf) reporting field: Gain insights into forensic incidents like cyber attacks by configuring the ruf field in your DMARC record.
- DKIM/SPF 정렬 모드" SPF 및/또는 DKIM에 대해 느슨한 정렬을 선택할지 엄격한 정렬을 선택할지 선택합니다.
How to Publish a DMARC Record?
To publish a DMARC record, there are a few prerequisites:
- DNS 관리 콘솔에 액세스할 수 있어야 합니다.
- 도메인에 대한 새 DNS 레코드를 편집하고 추가할 수 있는 권한이 있어야 합니다.
Publishing Your DMARC Record With cPanel
1. Access your cPanel DNS Management Console
2. Under the Domains section, click on DNS Zone Editor or Advanced Zone Editor
3. Add a DMARC record of type TXT (tex), filling in the details as shown below. In the “TXT data” or “value” field, you need to paste your previously created DMARC record.
Publishing a DMARC Record with Godaddy
- Log in to your GoDaddy Domain Portfolio to access the DNS zone
- Under Domain Name, find and select your email-sending domain
- Under your domain name, click on DNS
- Now select Add New Record and start publishing your record with the following details:
유형: TXT
이름: _dmarc
Value: paste the value of your DMARC record
Publishing a DMARC Record with Cloudflare
- Log in to your Cloudflare account.
- Select the desired account and domain.
- Navigate to DNS and click on Add Record
- Paste your generated DMARC record into the Add Record section, like the example below:
Verifying Your DMARC Record
To verify your DMARC record & avoid the common “No DMARC record found” error, you can use our free verification tool.
1. 무료로 가입하고 분석 도구 > 파워툴박스 > DMARC 레코드 검사기로 이동합니다.
2. Review your DMARC record status, syntax, and tags to uncover any errors you may have
Common DMARC Record Errors
| 상태 | 의미 | 무엇을 할 수 있나요? |
|---|---|---|
| 유효 | DMARC 기록이 정확하고 오류가 없습니다. | 아무것도 하지 않음 |
| 유효하지 않음 | DMARC 기록에 오류가 있습니다. 이는 불완전하거나 잘못된 구문으로 인한 것일 수 있습니다. | 구문을 검토하거나 DMARC 태그에 대한 전체 가이드를 참조하거나 전문가에게 문의하여 도움을 받으세요. |
| 기록을 찾을 수 없음 | DNS에 DMARC 레코드가 없습니다. | 도메인에 대한 DMARC 레코드를 생성하고 DNS에 게시합니다. |
Once you detect errors in your record, you must implement the necessary changes to your DNS and save the changes. You may recheck your record once the changes are processed.
DMARC Record for Non-Sending Domains
Most people stop at securing their active domains, but little do they know that attackers can spoof even your non-sending domains to send fake emails on your behalf! To prevent this, here are the steps to implement DMARC for your non-sending domains:
- Publish a non-permissive DMARC record: start by publishing a DMARC record for the inactive domain with an enforced policy like p=reject.
- Ignore reporting: Since the domain doesn’t send emails, no need to set up RUA or RUF reports for it.
- Publish a restrictive SPF record: Set v=spf1 -all to prevent email sending.
- Disable integrated email services: If the domain is still linked to external email servers, it may be a good call to restrict them if the domain is no longer in use.
Consequences of Not Securing Your Inactive Domains
Failing to implement DMARC for your non-sending domains can lead to various consequences, such as:
- Increased risk of spoofing and phishing attacks
- Damage to brand and domain reputation
- Domain abuse going unnoticed for lengthy periods of time
Single DMARC Record Per Domain
When configuring your DMARC record, it’s important to publish a single record entry per domain. Multiple DMARC records for a single domain can cause conflicts and unwarranted authentication failures!
Why Multiple DMARC Records Are a Problem
- Email authentication failures: Email receivers may not know which DMARC record to follow.
- Misconfigurations and inconsistencies: Conflicting policies (e.g., one record using p=none and another using p=reject) lead to unpredictable enforcement.
- Inaccurate reporting: DMARC reports may be incomplete or unreliable.
Best Practices for Correct DMARC Implementation
To ensure correct DMARC record configuration, here are the best practices for implementation:
- Publish a single record for DMARC per domain.
- Avoid configuring the DMARC sp tag unless you want your subdomains to have a different policy.
- Use a DMARC checker tool to validate your record after publishing it.
- Monitor your DMARC reports regularly to ensure suspicious activities aren’t going unnoticed.
Next Steps After Publishing a DMARC Record
After you are done publishing your DMARC record, your next step should be to focus on protecting your domain from scammers and impersonators. That is your main agenda when you are implementing security protocols and email authentication services.
Simply publishing a DMARC record with a p=none policy doesn’t offer any protection against domain spoofing attacks and email fraud. For that, you need to shift to DMARC enforcement.
To shift to DMARC enforcement, a gradual approach is your best bet to get ideal results without any negative impact on your deliverability. Here’s a step-by-step process you can follow:
- Start with a p=none policy, which is your monitoring mode.
- Enable DMARC reporting for your domain to analyze your email traffic and deliverability.
- Shift to quarantine, keeping pct (percentage) at 10, and gradually increase it to 100% over a span of a couple of weeks.
- Once you are confident in your setup, move to p=reject, keeping pct on the lowest percentage setting and then gradually increasing to full enforcement for 100% of your mail volume.
How PowerDMARC Simplifies DMARC Record Management
For organizations operating multiple domains, or simply those who do not wish to indulge in the hassle of manually configuring and maintaining DMARC records, there is PowerDMARC. A simple and client-friendly solution that automates DMARC record management under a single roof. Powered by AI-driven Threat intelligence technology and detailed reporting, PowerDMARC has been helping 2000+ customers around the world simplify their DMARC journey.
To get started, take a free 15-day trial of the platform today!
DMARC Record FAQs
1. Why do I need a DMARC record?
DMARC records help prevent domain impersonation, thereby reducing the risk of various email-based threats like phishing, spoofing, and ransomware attacks. Without a DMARC record, your domain is at a higher risk of being jeopardized or misused by threat actors.
2. What are common DMARC record errors?
Some common DMARC misconfigurations include:
- Having multiple DMARC records, as a domain can only have one DMARC record.
- Syntax errors like incorrect formatting (e.g., missing semicolons or spaces).
- Invalid policy values like using incorrect tags like p=rejected instead of p=reject.
- Broken email reporting addresses, such as incorrect rua or ruf email addresses, lead to undelivered reports.
3. Can I have multiple DMARC records for a single domain?
No, a domain can have only one DMARC record. If multiple records exist, email providers may ignore the configuration, leading to authentication failures and security gaps.
4. How long does it take for a DMARC record to propagate?
DMARC record propagation time typically varies from a few minutes to up to 48 hours, depending on DNS caching and TTL (Time-to-Live) settings.
5. What happens if my DMARC record is invalid?
If a DMARC record is invalid, it can lead to a variety of issues, such as failed authentication attempts or checks and email deliverability issues, and your domain may even be vulnerable to spoofing.
6. What happens if the domain hasn’t published a DMARC record?
If you are a bulk sender with an unpublished DMARC record, you will face email rejections while sending messages to Google and Yahoo inboxes. Additionally, your domain may become a prime target for attackers, as there will be no restrictions on spoofing it.
- DMARC 레코드를 생성하고 게시하는 방법 - 2025년 3월 3일
- 2025년에 "SPF 기록을 찾을 수 없음"을 수정하는 방법 - 2025년 1월 21일
- DMARC 보고서 읽는 방법 - 2025년 1월 19일