We use cookies

We use cookies to ensure that the website functions properly, to monitor and optimize the user experience on our websites and for marketing and social media purposes.

Adjust preferences
Go back

Adjust preferences

You can choose which cookies you want to enable. Analytical cookies help us to analyze and improve the use of the website. Statistical cookies collect anonymized data to track trends and performance.

Necessary cookies (always active)
Analytical cookies
Marketing cookies
Skip to content

How do I set up DMARC?

Back to email

Email is used by many individuals and/or companies but unfortunately it is also often abused by hackers.
Perhaps you yourself have experienced an email address being abused by hackers or your
website sent many mails because the website was hacked.
Several safeguards have been rolled out over time to counter spammers.
For example, we already have an SPF record, which verifies that the mail server is actually authorized to send mails.
Furthermore, we also have DKIM, a kind of signature of the mail server, which also checks based on the DNS whether it is correct.
But unfortunately, if your website or email password is hacked and then mails are sent, the SPF and DKIM will still be correct.
In addition to SPF and DKIM, another security has been added that gives more insight into email traffic, DMARC.

What is and what does DMARC do?
A DMARC record allows you to get more insight into the mails sent through the mail server.
You can also indicate to the receiving party what they should do with the mail.
The DMARC record can be set to check for SPF, DKIM or both.
In the dmarc record you include an email address, this is used to send reports to.

When do I receive my DMARC report and how often?
After 24 hours you often receive your first DMARC report.
A day later you will receive another report.

What is in this report?
The mail contains an XML attachment. If you read this, it will tell you exactly how many mails were sent, and how many mails had the DKIM and SPF correct/incorrect.
You can also get a copy of the content if 1 of the SPF/DKIM requirements fails.
This will give you a good insight if all mails were sent correctly .

Can DMARC cause problems when it is set up incorrectly?
Yes it can, for example when you don't have the SPF or DKIM right and you use p=reject, the mail will often be rejected at other parties.

What does a DMARC record look like?
Dmarc is a DNS TXT record and can be set in your control panel at the dns.
There are several ways to set DMARC, depending on how you want the mail to work.
Below is an example of a DMARC record:
v=DMARC1; p=quarantine; rua=mailto:dmarcrapport@voorbeelddomein.nl;

V=DMARC1;
The record begins with v=DMARC1;
This indicates that it is a DMARC, and not SPF or DKIM.

P=quarantine;
Next it says: p=quarantine;
The P stands for Policy (which we also know from SPF (Sender Policy Framework)).
For the policy you have 3 options and these options indicate what the advice is for the receiving party when the DMARC is not correct) namely:
- none (this means the receiving party does nothing with it, but allows you to receive reports, so useful for research)
- quarantine (this means that the receiving party has to put the mails in the spam folder)
- reject (this means that the receiving party should not accept the mail).

RUA (aggregate DMARC reports)
This is the email address where the reports are sent to.
You will receive an XML file every day with an overview of how many mails were sent and how many had valid SPF and/or DKIM.
By default you will receive a report once a day, you can specify if you want it once a week.
You can do this by adding ri=xxx seconds to the DMARC record.

RUF (forensic DMARC failure reports)
In addition to RUA there is also a RUF option, this option shows the content of DMARC non-compliant mails, while RUA shows it more globally.
When setting up the DMARC record, you can specify for RUF when you want to receive a RUF report.
For example, this could be when the SPF fails, or when the DKIM fails, or when both the SPF and DKIM both fail.

Relaxed or Strict
You can specify whether the dmarc should be relaxed or strict about the conditions of the emails.
In the example I had given earlier, you don't see relaxed or strict set.
This is because the default value for DMARC is relaxed.
In strict mode of the DKIM, the DMARC looks to see if the DKIM matches exactly.
When set to relaxed, the DKIM only looks to see if the email is signed by the root domain.
However, according to sources, using the strict mode does not provide any additional security.
For this reason it is advised to use the relaxed mode, because the strict makes configuring a lot more difficult.

Suppose you still want to perform a strict check on the SPF and/or DKIM you can specify this with:

adkim=s; aspf=s

The adkim indicates that the DKIM is involved, and the =s indicates that it should strictly (stringently) check.
The same applies to the aspf.

pct=100
It is also possible to check a percentage of sent mails.
By default the percentage is set to 100%, and does not need to be specified if you want to keep the 100%. If you want to scan a lower percentage, however, it is necessary to include it in the DMARC record.

How do I get a DMARC record?
It is understandable that a DMARC record is not something you just type in, so there are several tools on the Internet that you can use to generate a DMARC record.
An example of a DMARC generator is dmarcian or mxtoolbox

Back to email

Related articles