DMARC recors allow recipients and senders to verify the authenticity of messages, as well as determine what to do with messages that are not DKIM validated.
I will give an example of a simple initial setup of DMARC, in which no actions are taken with suspicious messages and reports are sent to the specified email, for this we will add a TXT entry in the DNS server settings (tags “v” and “p” are required):
_dmarc TXT "v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org"
v – determines the version of the protocol.
p – indicates what to do with suspicious messages coming to your domain, none – nothing, quarantine – mark as spam and quarantine, reject – do not accept such messages.
sp – indicates what to do with suspicious messages coming to all your subdomains, the values are the same as for “p”.
rua – defines the email address to receive reports.
pct – allows you to set the percentage of suspicious messages to which the DMARC rule is applied, the default is 100.
aspf is a mode for checking the accuracy of SPF records, r is a soft mode (relaxed), is the default when partial matches are allowed, for example, for subdomains, s is a strict mode by which only exact matches are allowed.
adkim – mode for checking the accuracy of DKIM records.
To make sure how DMARC works and smoothly switch to the reject policy, we first indicate that a small percentage of suspicious messages should be marked as spam and we will gradually change the TXT record, for example:
"v=DMARC1; p=quarantine; pct=20; rua=mailto:email@example.com" "v=DMARC1; p=quarantine; pct=50; rua=mailto:firstname.lastname@example.org" "v=DMARC1; p=quarantine; pct=100; rua=mailto:email@example.com" "v=DMARC1; p=reject; pct=50; rua=mailto:firstname.lastname@example.org" "v=DMARC1; p=reject; pct=100; rua=mailto:email@example.com"
You can specify to send reports to several emails:
You can check the DMARC record with any online services, for example https://mxtoolbox.com/dmarc.aspx