Apprezo Helpdesk - Help Center

How to Set Up DMARC Records for Email Security

Jan//Apprezo
Written by Jan//ApprezoLast updated 1 year ago

How to Set Up DMARC Records for Email Security

Setting Up and Understanding DMARC Records

What is DMARC?

DMARC (Domain-based Message Authentication Reporting and Conformance) is a vital security protocol designed to safeguard email communications. It integrates the authentication techniques of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify that emails are legitimate. DMARC allows domain owners to define rules for how unauthorized use of their domain should be managed, helping to prevent email spoofing and phishing attempts.

What is a DMARC Record?

A DMARC record is a DNS entry of type TXT, typically named _dmarc, that specifies how email servers should handle messages that fail authentication checks. It includes a series of tags with corresponding values, separated by semicolons, to set preferences and actions.

Understanding DMARC Policies (p=):

  • p=none: Monitor email activity without enforcing any specific actions.

  • p=quarantine: Flag suspicious emails and send them to the spam folder.

  • p=reject: Block unauthorized emails entirely, preventing them from reaching the recipient.

Steps to Set Up a DMARC Record

1. Configure a Custom Sending Domain (If Applicable)

Before setting up DMARC, ensure that your email system is configured with a dedicated sending domain for your sub-account (if relevant).

For users of the LeadConnector email service:
Go to the Settings tab, select Email Service, then navigate to Dedicated Domain & IP Address. Click on Add New Domain and follow the steps to set up your custom domain.

2. Access Your DNS Settings

Log in to your domain registrar or DNS hosting provider (e.g., GoDaddy, Cloudflare) to access the DNS settings of the domain where you want to apply DMARC.

3. Create the DMARC Record

In the DNS settings, create a new TXT record with the following details:

  • Record Type: TXT

  • Name: _dmarc.yourdomain.com (replace "yourdomain.com" with your actual domain)

  • Value: v=DMARC1; p=none;

Note: If your email domain is email.yourdomain.com, your DMARC record name will be dmarc.email. For a standard domain like yourdomain.com, the record name will be dmarc.

Key DMARC Tags and Their Meanings:

  • v (DMARC Version):
    Default: DMARC1
    Specifies the version of DMARC. This must always be set to DMARC1, or the record will not be valid.

  • p (Policy):
    Default: none
    Defines the action taken when an email fails DMARC checks. Options include:

    • none: Gather reports but do not affect email flow.

    • quarantine: Treat suspicious emails, usually sending them to spam.

    • reject: Block unauthorized emails entirely.

  • adkim (DKIM Alignment Mode):
    Default: r (Relaxed)
    Dictates how closely the DKIM signature must align with the domain in the email's "From" header.

    • r (Relaxed): DKIM passes if the domains share the same Organizational Domain.

    • s (Strict): DKIM requires an exact domain match.

  • aspf (SPF Alignment Mode):
    Default: r (Relaxed)
    Similar to adkim, but for SPF authentication:

    • r (Relaxed): Allows related Organizational Domains to pass SPF checks.

    • s (Strict): Requires an exact match between the SPF domain and the "From" header domain.

  • sp (Sub-domain Policy):
    Default: Mirrors the p= policy
    Defines whether subdomains inherit the same DMARC policy or have their own policy.

  • fo (Forensic Reporting Options):
    Default: 0
    Controls when forensic reports are generated:

    • 0: Send reports if all authentication methods fail.

    • 1: Send reports if any method fails.

    • d: Send reports only when DKIM fails.

    • s: Send reports only when SPF fails.

  • ruf (URI for Forensic Reports):
    Default: none
    Specifies the address (in mailto: format) where forensic reports are sent.

  • rua (URI for Aggregate Feedback Reports):
    Default: none
    Defines where aggregate XML feedback reports should be sent, using a mailto: address.

  • rf (Reporting Format for Forensic Reports):
    Default: afrf
    Determines the format for forensic reports.

  • pct (Percentage):
    Default: 100
    Sets the percentage of emails that should be subjected to the DMARC policy. This tag is only applied when using the "quarantine" or "reject" policy.

  • ri (Reporting Interval):
    Default: 86400 (24 hours)
    Controls how often aggregate reports are sent, measured in seconds.

4. Publish the DMARC Record

After you've created the record, publish it by adding it to your domain's DNS. This is done through your domain registrar's or DNS provider's control panel.

5. Monitor DMARC Reports

Once the DMARC record is live, you’ll start receiving reports that give insight into the authentication status of your domain's emails. These reports help identify any unauthorized use and allow you to fine-tune your email authentication policies.

By setting up DMARC and carefully monitoring your reports, you enhance your email security, helping to protect your domain from fraud, phishing, and other malicious activities. Periodically reviewing and adjusting your DMARC settings ensures your domain remains secure and email delivery is optimized.


Did this article help you solve your issue?

Apprezo Helpdesk - Help Center

© 2026 Apprezo Helpdesk - Help Center. All rights reserved.