Understanding a DMARC Record & Adding One to Your DNS

Email-based communications can contain sensitive information, and when your company uses email to communicate, it makes sense that you want those messages to stay secure. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication policy created to protect email domains from criminals looking to steal your information. Along with DMARC, other email protections — like DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) — can be utilized so that ISPs can recognize legitimate emails from spoofing and other attacks.

For these protocols to work, they require instructions on enforcing these policies so that messages that fail authentication are handled appropriately. The instructions for DMARC come from DMARC records that are added to your domain’s DNS. Learn what a DMARC record is and how you can add one to your Domain Name Service (or DNS).

What is a TXT Record?

DMARC records contain information that the protocol follows to separate questionable emails on your server from legitimate ones. DMARC policies can operate in a certain way based on the instructions they receive in the form of a TXT record. A TXT record includes all the data listed in value fields and incorporates instructions and human-readable information for your server.

More importantly, TXT records are an ideal pathway for domain verification, although that wasn’t their initial intention. For DMARC policies to work, they need to reference the SPF and DKIM policies, which brings you to DMARC records.

What are DMARC TXT Records?

All aspects of DMARC records separately were briefly discussed, but when you bring everything together, they are specialized TXT records containing DMARC information. Your server needs instructions on how to handle emails that fail authentication. DMARC TXT records have all the instructions necessary for one's email server to control how your domain accepts or rejects incoming messages.

What Does an Example Look Like?

Your server needs DMARC records to enable a secure domain for your company’s important messages. Without one, your data is subject to cyber threats like email spoofing, phishing, or CEO fraud. A DMARC record has a simple structure that is made up of a few components.

Here’s an example of a DMARC record:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

In a DMARC record, three identifying characteristics provide the instructions to your domain. Pay attention to the three underlying components in the above example. Each tag represents a specific value; the tags v, p, and rua reinforce the version of DMARC:

• v — Protocol version.
• p — Policy for organizational domain.
• rua — Reporting URI of aggregate reports.

The DMARC policy is identified by the p tag, and the rua determines the email address where you receive DMARC aggregate reports. The version and the email address are self-explanatory, but what does the policy mean?

What is a DMARC Policy?

The three values in the DMARC record each have their own meaning and provide instructions for the DMARC protocol to do its job. Each policy determines the action that your server takes when handling a questionable email. In the above example, the none policy was used, but you can use two other standard policies. Here’s a brief explanation of each policy:

• none — When your server encounters a message that fails to authenticate, this policy does not take any further action, but you’ll still get notifications about what’s happening in your email. With this policy, you may see a message stating DMARC policy not enabled.
• quarantine — This policy performs the action you think it would. When a message fails DMARC authentication, it’s put into your junk folder for later verification by you.
• reject — Every message that fails authentication is refused and will never reach the recipient.

With these policies, you can enable a DMARC policy that protects your business from cybercriminals. These standard policies should be more than enough for most companies. Still, if you’re curious, how can you know if your policy is working to protect you from attacks?

How do DMARC Reports Relate to a DMARC Policy?

DMARC policies contain instructions to govern how the policy handles failed messages, but it also includes other instructions to manage the data generated during the DMARC process. To put it simply, server administrators need information, but running a server can produce excess data that may be overwhelming at first. To solve this problem, admins can set up reports that can be forwarded to another service, which distills them into a simpler form.

These are DMARC reports. These reports are crucial because they include data admins can use to adjust their DMARC policies to improve your server’s security.

How to Create a DMARC Record

You need to create the record before you can add a DMARC record to your DNS. If you’re setting up your policies for the first time, you likely won’t have a DNS record, but you can scan your records first to see the current state of them.

Check Your DNS with a DMARC Analyzer Tool

If you’re unsure about your DNS records, you can use a DMARC analyzer tool to scan your DNS records for the DMARC TXT record. We recommend the following tools:

• DMARC Check Tool from MxToolbox
• Learn and Test DMARC Console

As well, some hosting providers have these tools readily available for admins to use. No matter the tool used, you will type in your domain name and click the "DMARC Lookup" or equivalent option. If you don’t have the proper setup, the analyzer will show a failed message.

Edit Your Domain’s DNS Record

Remember, DNS records include your mailbox and other relevant information. To edit the DNS records, you’ll have to log in to your server to access the DNS. If you can’t find where to gain access, try these areas:

• Your DNS registrar
• Your hosting control panel
• Your CDN provider

Once you gain access, it’s time to add your DMARC TXT record to the DNS. You can do this one of two ways.

Method #1: Create a New Record Using a Sample DMARC Record

It is relatively common, so we will be using Cloudflare to demonstrate creating a new record. If you don’t have a DMARC record, you can use this example to run this process:

1. On the DNS record menu, click Add Record to make a new DMARC record.
2. Next, choose to add a TXT file from the dropdown menu. In the Name field, type in _dmarc.
3. Then, in the larger field, paste the DMARC record example from earlier.
4. Save your new DMARC policy, and the new record is now added to your DNS.

Some providers also have a DMARC generator tool that comes standard with the domain. If you prefer this method, take a look at Cloudflare.

Method #2: Create a New Record Using a DMARC Record Generator

While still in the Cloudflare control panel, you can generate a DMARC record instead of coming up with your own. Usually, DNS record generators can make a DNS record for SPF, DKIM, and DMARC. Either way, this method keeps you from having to physically edit your record if you’re uncomfortable doing it.

Start the process by clicking the menu on the left-hand side of the Cloudflare dashboard.

1. Next, click Email Security and then the Configure button; you’ll see the options to create a record for DKIM, SPF, or DMARC.
2. Click Create Record in the DMARC area, and an interface will load up with options to enter your information.
3. Starting with the Reporting Email Address, enter your details to receive DMARC reports.
4. Next, enable the Policy you want to use for your DMARC policy using the radio buttons.
5. After that, you’ll want to set a percentage of emails to filter for your DMARC policy. Some users set a certain percentage, but others just leave it at 100%.

Once you’ve entered all the fields, the DMARC record will be generated. If you’re happy with it, click Submit, and that’s it. You’ve successfully added a DMARC record to your DNS.

Bottom Line

Employing a DMARC policy for email authentication creates a robust layer of security to protect your domain from cybercriminals. Without the SPF, DKIM, and DMARC in place, your domain is subject to thousands of spam messages and email spoofing. Each message could be a potential data leak waiting to happen, so you’ll need to create a DMARC record.

While there are many email services out there, you can choose to send and receive your company’s messages with a premium business email.

At Liquid Web, we manage a secure alternative to other email providers by enacting strong DMARC policies in your domain. Through our breadth of hosting services and options, you can work with a trusted provider like us to offer your customers stability, professionalism, and secure communications. If you want to learn how to manage your email communications with customized filtering techniques, contact our sales team to set up your account today.