Setting up DMARC
In this article:
Introduction
Start here if you want to know more about how SPF, DKIM and DMARC work together.
SPF and DKIM operate independently, and DMARC connects the two mechanisms. DMARC is a DNS-record that is used to set up a policy that defines how the recipient should respond to incoming mail for a domain, and whether or not to reject mail that is not SPF or DKIM validated.
This means that DMARC needs to be set up individually. We recommend that you begin with a lenient setup, as you can always review the rules in the DMARC policy later if needed, as you receive feedback through the reports.
Setting up DMARC
Log in to your DNS-manager and add a new DNS-record of the type "TXT". Insert the following values - with "(domain)" replaced by your own domain-name, and the e-mail address for the intended recipient of the report (we'll explain more about his in the bottom of the article):
- Type:
TXT - Hostname:
_dmarc.(domæne) - TTL:
3600 - Text:
v=DMARC1;p=none;pct=100;rua=mailto:aggrep@example.com
Your record should end up with this signature in the DNS manager:
_dmarc.(domæne) TXT 3600 v=DMARC1;p=none;pct=100;rua=mailto:aggrep@example.com
In the beginning, we recommend setting the policy (p) to "none", so that nothing is rejected, but reports are still generated and sent back to the email defined in the record. The recipient (due to the "rua" tag) sends a status report back to the sender (us), which we can then use to see who may be pretending to send on behalf of our domain. Based on the report, it is possible for us to customize our DMARC policy if needed.
A table of DMARC tags and their function:
| Tag navn | Purpose | Example |
| v | Protocol version | v=DMARC1 |
| pct | Percentage of messages subject to filtering | pct=20 |
| ruf | Reporting URI for error reports (forensic reports) | ruf=mailto:authfail@example.com |
| rua | Reporting URI for aggregate reports (aggregate reports) | rua=mailto:aggrep@example.com |
| p | Organization domain policy | p=none, quarantine, reject |
| sp | Policy for subdomains on the organization's domain | sp=none, reject |
| adkim | Adjustment mode for DKIM | adkim=s |
| aspf | Adjustment mode for SPF | aspf=r |
You can read more about how to use the different tags here. If you want to design the DMARC policy for your domain, you can use https://dmarcian-eu.com to help you set up and monitor DMARC.
We also recommend this DMARC FAQ.
DMARC reports
As previously mentioned, you will receive reports based on the tags you added to your DMARC record in the initial phase. The reports are delivered as a file that can be opened in a spreadsheet or uploaded to an analyzer that can display the content in a format that is easy to read and analyze:
- DMARC XML to Human Converter (dmarcian.com)
- DMARC Report Analyzer (mxtoolbox.com)
The following services can be set up to receive reports directly and present them in a graphical interface: For example, with dmarc.postmarkapp.com you can get a weekly status-report with a summary sent to you:
Useful links
- Understand SPF, DKIM and DMARC (e-mail)
- Setting up SPF
- Setting up DKIM
- DMARC FAQ (dmarc.org)
- DMARC Tags (mxtoolbox.com)
- DMARC testing tool (mxtoolbox.com)
- DMARC Record Generator (dmarcian.com)
- Further reading about DMARC (dmarcian-eu.com)