Domain-based Message Authentication, Reporting & Conformance


What is DMARC?

DMARC is a an email authentication, policy and reporting protocol.

It builds on SPF and DKIM and allows you to protect your domain from fraudulent emails. You can detect and prevent spoofed emails claiming to come from your domain.


Getting Started

If you want to get started with DMARC you already need to have SPF and DKIM in place.

If you're using a hosted mail provider like GSuite, O365, FastMail or others, search online for how to setup SPF and DKIM with those providers. This is generally a simple process that only requires you to set a DNS TXT record for SPF and a CNAME record for DKIM.


Here is our SPF record:


report-uri.com. 299 IN TXT "v=spf1 include:spf.messagingengine.com include:sendgrid.net ~all"


Here are our DKIM records:


fm1._domainkey.report-uri.com. 299 IN CNAME fm1.report-uri.com.dkim.fmhosted.com.
fm2._domainkey.report-uri.com. 299 IN CNAME fm2.report-uri.com.dkim.fmhosted.com.
fm3._domainkey.report-uri.com. 299 IN CNAME fm3.report-uri.com.dkim.fmhosted.com.


Your records will be different, so please don't copy and paste ours!


Enable DMARC

Once you have SPF and DKIM configured, you can enable DMARC. Enabling DMARC is as simple as creating a single DNS TXT record that contains the policy you would like enforcing on your emails. Here is an example of what that might look like:


v=DMARC1; p=none; rua=mailto:scotthelme-d@dmarc.report-uri.com


DMARC is very flexible and you can be as strict or relaxed as you like in your policy. There are details on how to configure DMARC here.


SPF - https://scotthelme.co.uk/email-security-spf/

DKIM - https://scotthelme.co.uk/email-security-dkim/

DMARC - https://scotthelme.co.uk/email-security-dmarc/