DMARC recors allow recipients and senders to verify the authenticity of messages, as well as determine what to do with messages that are not DKIM validated.
Before configuring DMARC, SPF and DKIM records should be configured, for example, I wrote about this in the articles:
How to configure SPF records
How to add DKIM record for iRedMail
I will give an example of a simple initial setup of DMARC, in which no actions are taken with suspicious messages and reports are sent to the specified email, for this we will add a TXT entry in the DNS server settings (tags “v” and “p” are required):
_dmarc TXT "v=DMARC1; p=none; rua=mailto:email@example.com"
In the test, after adding such an entry, Google periodically began to send messages about the successful (pass) or unsuccessful (fail) DMARC check.
v – determines the version of the protocol.
p – indicates what to do with suspicious messages coming to your domain, none – nothing, quarantine – mark as spam and quarantine, reject – do not accept such messages.
sp – indicates what to do with suspicious messages coming to all your subdomains, the values are the same as for “p”.
rua – defines the email address to receive reports.
pct – allows you to set the percentage of suspicious messages to which the DMARC rule is applied, the default is 100.
aspf is a mode for checking the accuracy of SPF records, r is a soft mode (relaxed), is the default when partial matches are allowed, for example, for subdomains, s is a strict mode by which only exact matches are allowed.
adkim – mode for checking the accuracy of DKIM records.
To make sure how DMARC works and smoothly switch to the reject policy, we first indicate that a small percentage of suspicious messages should be marked as spam and we will gradually change the TXT record, for example:
"v=DMARC1; p=quarantine; pct=20; rua=mailto:firstname.lastname@example.org" "v=DMARC1; p=quarantine; pct=50; rua=mailto:email@example.com" "v=DMARC1; p=quarantine; pct=100; rua=mailto:firstname.lastname@example.org" "v=DMARC1; p=reject; pct=50; rua=mailto:email@example.com" "v=DMARC1; p=reject; pct=100; rua=mailto:firstname.lastname@example.org"
You can specify to send reports to several emails:
You can check the DMARC record with any online services, for example https://mxtoolbox.com/dmarc.aspx