DMARC is a protocol that helps prevent email fraud and phishing attacks by verifying the authenticity of incoming messages. To configure DMARC, create a DMARC record, choose a policy, configure SPF and DKIM, monitor DMARC reports, and adjust the policy as needed. The DMARC record specifies the policy for handling emails that fail authentication checks, and the policy can be set to none, quarantine, or reject. SPF and DKIM should be configured for your domain to ensure that your emails pass DMARC checks.

It’s important to regularly monitor DMARC reports and adjust the policy as needed to improve email authentication and protect your domain from fraud and phishing attacks.

What is a DMARC TXT Record?

DMARC is configured in TXT format that is published on your DNS. It validates the source of email messages by checking the From address against the address of the reported owner of the sending domain. The recipient’s server handles incoming emails depending on the verification results. You can set the record to take no action against unauthorized emails, quarantine them, or completely reject their entry to the mailbox.

A published DMARC record is also responsible for sending reports to the owner with data about all the emails seen from their respective domain.

Steps to Configure DMARC

To configure DMARC, you need to form a DMARC TXT record and publish it on DNS. if you own a custom domain or deploy on-premises Exchange servers, you have to know how to configure DMARC manually for all the outbound emails sent from your domain. The usual steps involved in the process are:

Step 1: Identify Valid Sources of Mail for Your Domain

If you have already implemented SPF, you must be aware of this drill. But you need to consider a few more points to configure DMARC for email authentication.

See which all IP addresses are allowed to send emails using your domain.
Check if the 5321.MailFrom and 5322.From (domains match for all the messages sent by third-party vendors on your behalf.

Step 2: Set Up SPF For Your Domain

Once you have made a list of all valid IP addresses that are allowed to send emails using your domain, set up SPF to avert phishing and spoofing attacks in your company’s name.

Step 3: Set Up DKIM For Your Custom Domain (optional but recommended)

Now that you have set up SPF, you need to set up DKIM as well to configure DMARC record. DKIM helps you add a digital signature to email headers. If you don’t reset DKIM configurations for your domain, there can be a DMARC failure as there will be a mismatch between the 5321.MailFrom and 5322.From addresses.

DMARC will also fail for emails sent by third-party vendors if the 5321.MailFrom and 5322.From addresses aren’t the same. You need to align your domain specifically with a third-party sender to avoid DMARC failure. This way, recipients’ servers don’t mark your emails as suspicious, which otherwise could impact the email deliverability rate.

Step 4: Form the DMARC TXT Record For Your Domain

The next step to take to configure DMARC is to create your DMARC TXT record in the following format:

_dmarc.domain TTL IN TXT “v=DMARC1; p=policy; pct=100”

Where:

domain is the domain you have to implement DMARC to. By default, the DMARC record shields mail from the domain and all the subdomains.
TTL has to be equivalent to one hour, which means you can set it to either hour (1 hour), minutes (60 minutes), or seconds (3600 seconds). It will depend on your domain registrar’s preference.
pct specifies that these DMARC rules are to be applied to 100% of emails.
Policy indicates how you want recipients’ mail servers to handle unauthenticated emails sent from your domain. You can set it to none, quarantined, or reject. Click here to read more about DMARC policies.

You can use our free DMARC record generator tool to create a record you can publish on your DNS. it automatically generates it so that you don’t have to do it manually. All you have to do is set a policy (none, quarantine, or reject) and choose your protocol alignment modes.

Post forming your record, the next step is to update it at your domain registrar.

Step 5: Add DMARC Record to DNS

Go to your DNS and select your domain. Then, click on Add to create a new DNS record. Also ensure, that you don’t have multiple records added. Enter the TXT values in the columns and save. Don’t forget to validate and monitor it from time to time using a DNS TXT record lookup tool. It reveals syntax or configuration errors and remediates them easily.

Final Words

Understanding how to configure DMARC helps you stay out of the reach of phishers and scammers as they exploit email messages by impersonating senders. To implement the DMARC protocol, you need to create a TXT record to be added to DNS. This is easy to generate using free tools where you have to select the policy, alignment mode, add the email address where you want to receive reports, and then add it to your DNS.

About
Latest Posts

Ahona Rudra

Domain & Email Security Expert at PowerDMARC

Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.

How to Configure DMARC?