How to Set Up DMARC Records for Email

Setting Up and Understanding DMARC Records

What is DMARC?

DMARC, an acronym for Domain-based Message Authentication Reporting and Conformance, is a robust technical tool designed to enhance email security. It combines the authentication methods of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify the authenticity of emails. DMARC is a free-to-use protocol to prevent email fraud, particularly phishing attacks. It empowers domain owners to dictate how unauthorized use of their email domains should be handled through policies outlined in the DMARC record (p=).

What is a DMARC Record?

A DMARC record, housed in a TXT-type DNS entry named _dmarc, outlines policies and preferences for email servers. It's composed of tags assigned with values separated by semicolons, specifying various parameters.

Understanding DMARC Policies (p=):

  • P=NONE: Monitors email traffic without taking further actions.
  • P=QUARANTINE: Sends unauthorized emails to the recipient's spam folder.
  • P=REJECT: Rejects unauthorized emails outright, preventing delivery.

How to Set Up a DMARC Record:

Set Up a Custom Sending Domain for Your Sub-account:

Before configuring DMARC, ensure you've established a Dedicated Sending domain in your sub-account if applicable.


If you’re using the LeadConnector email service:

Navigate to the settings tab > Email Service > Dedicated Domain & IP Address, and click "Add New Domain." Follow the provided steps to set up your dedicated sending domain.

Access Your DNS Settings:

Access the DNS settings for the domain you intend to set up DMARC for. This is typically accessible through your domain registrar or DNS hosting provider's dashboard—Eg, GoDaddy, Cloudflare, etc.

Create a DMARC Record:

Record Type: TXT

Name: _dmarc.yourdomain.com (Replace 'yourdomain.com' with your actual domain name.)

Value: v=DMARC1; p=none;

Note: If your email/sending domain is email.domain.com, then your dmarc record ‘Name’ will be ‘dmarc.email’. If your email domain is domain.com, then your dmarc record Name will be ‘dmarc’ (it’s the same as _dmarc.domain.com and you don’t need to add the complete domain name under the ‘Name’ field while creating the record)Key tags used in a DMARC record:

v (DMARC Version):

Default: DMARC1

Translation: Denotes the DMARC protocol version. Must always be set as "DMARC1". If missing or incorrect, the entire DMARC record is ignored.

p (Policy):

Default: none

Translation: Specifies the action for emails failing DMARC checks.

  • none: Collects feedback without impacting existing flows.
  • quarantine: Treats suspicious emails, often directed to the spam folder.
  • reject: Rejects all failing emails outright.

adkim (DKIM Alignment Mode):

Default: r

Translation: Specifies the alignment mode for DKIM signatures.

  • "r" (Relaxed Mode): Allows DKIM domains sharing a common Organizational Domain to pass.
  • "s" (Strict Mode): Requires an exact match between DKIM and email header-From domains.

aspf (SPF Alignment Mode):

Default: r

Translation: Similar to adkim but for SPF authentication.

  • "r" (Relaxed Mode): Allows SPF domains sharing a common Organizational Domain to pass.
  • "s" (Strict Mode): Requires an exact match between SPF and email header-From domains.

sp (Sub-domain Policy):

Default: p= value

Translation: Allows explicit publishing of a policy for sub-domains under this DMARC record.

fo (Forensic Reporting Options):

Default: 0

Translation: Determines conditions for generating forensic reports.

  • "0": Generates reports if all underlying authentication mechanisms fail to produce a DMARC pass result.
  • "1": Generates reports if any mechanisms fail.
  • "d": Generates reports if DKIM signature fails.
  • "s": Generates reports if SPF fails.

ruf (URI for Forensic Reports):

Default: none

Translation: Specifies where to send Forensic reports (URIs in the form of "mailto:address@example.org").

rua (URI for XML Feedback):

Default: none

Translation: Specifies where to send XML feedback reports (URIs in the form of "mailto:address@example.org").

rf (Reporting Format for Forensic Reports):

Default: afrf

Translation: Determines the reporting format for individual Forensic reports.

pct (Percentage):

Default: 100

Translation: Specifies the percentage of email failures for which the policy should be applied. The policy must be "quarantine" or "reject" for the percentage tag to be applied.

ri (Reporting Interval):

Default: 86400

Translation: Sets the frequency of receiving aggregate XML reports.

Publish the Record:

Once the DMARC record is created, publish it by adding it to your domain's DNS settings. This is typically done through your domain registrar or DNS hosting provider's dashboard.

Monitor DMARC Reports:

After setting up the DMARC record, you'll receive aggregate and forensic reports at the email addresses specified in the record. These reports offer insights into how your domain's email is authenticated and delivered.

By following these steps and configuring your DMARC policy, you can enhance your email security and protect your domain from fraudulent activities such as phishing. Regularly monitoring DMARC reports allows you to fine-tune your settings for optimal email authentication and delivery.

Still need help? Contact Us Contact Us