Page tree
Skip to end of metadata
Go to start of metadata

A DMARC record is a DNS TXT record for a subdomain named _dmarc on any senderdomain.

DMARC records can be placed on the organisational domain as well as on subdomains. A subdomain that has no DMARC record inherits its DMARC record from the organisational domain. It is recommended to place a DMARC record on every organisational domain.

# host -t txt _dmarc.senderdomain.TLD
_dmarc.senderdomain.TLD descriptive text "v=DMARC1; p=reject;;; rf=afrf; pct=100;"

The main purpose for DMARC is to set a policy (p). This policy contains the action that should take place when unauthenticated mail from this domain is received (and in no other case). The options are:

  1. none: to do nothing when authentication fails
  2. quarantine: to put the mail in the SPAM folder when authentication fails
  3. reject: to the message when authentication fails.

Only by using the reject policy can a domain be fully protected.

A secondary functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in two switches:

  1. rua: aggregated reports
  2. ruf: forensic reports




  • No labels