ResourcesKnowledge Base

DMARC record

What is a DMARC record and how to deploy it to the domain DNS correctly.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a technology that builds on SPF and DKIM and provides a superstructure that allows the two technologies to be linked to protect domains and brands from misuse by third parties.

SPF (Sender Policy Framework) is a basic security technique that verifies that email is sent from a legitimate IP address.

DKIM (DomainKey Identified Mail) is a method that protects the content of email by creating a digital signature.

However, it is not just about protection technology, but above all about monitoring, which, if you use DMARC, will also allow you to look into information about how and by whom your domain is being abused.

DMARC technology is basically for everyone, but certain companies should place more emphasis on its implementation – especially banks, service and energy suppliers, state and local government institutions, as well as companies that have invested in their brand and want to protect it. Recipients of DMARC-authorized messages, for which the origin is quite clear, can trust that the sender is indeed the person who claims to be. It is credibility, which is emphasized, that is the main reason for deployment on entities that may face confusion.

How to deploy DMARC record

In order to be able to use all the possibilities that Mailkit offers you for working with DMARC, you need to deploy a record in the following format in your domain's DNS:  _dmarc IN CNAME

Be note that the record usually needs to be deployed including the dot at the end. You can verify the correct deployment of the record using the DMARC Inspector at Once properly deployed, the DNS record will look like this:
v=DMARC1; p=none;;

Let's see what the record consists of:

Tag Value Description
v DMARC1 DMARC record version. It should always have a value of “DMARC1”. An incorrect or missing version of a record would cause the entire record to be ignored.
p none Policy applied to emails for which the DMARC check fails.

none – is used to collect feedback and gain visibility into email streams without impacting existing flows.

quarantine – allows providers (mail receivers) to treat emails that fail the DMARC check as suspicious. These emails usually end up in the SPAM folder.

reject – outright rejects all emails that fail the DMARC check (ie emails are then not delivered to the recipients at all).
rua The RUA address is for sending aggregated data from domains that received your messages, that were presented as being sent from your domain.

Thanks to the RUA address, you can then see detailed data on email flows on your domain in Deliverability Report, which you can then analyze. The aim of the analysis should be to examine each unverified email and possibly modify the SPF record or deploy DKIM records on servers so that 100% authentication is achieved.

But DMARC is not just a sophisticated and advanced technology for email authentication and domain protection. For marketers, the implementation of BIMI is a much more attractive topic. Don't know what BIMI is? Read our Guide to BIMI. You can already prepare for BIMI in Gmail. You will find out what you need to do in the article on our blog.

If you have any questions about deploying the correct DMARC record, displaying deliverability reports or preparing BIMI, do not hesitate to contact our Customer support.