Friday, May 24, 2024

How To Setup Dmarc For A Domain

Don't Miss

Cpanel Dmarc Setup: Publish A Dmarc Record On Cpanel These 3 Easy Steps

What is & How To Setup a DMARC record For Your Domain(s)??
  • Log in to your cPanel account and navigate to the dashboard.
  • Navigate to the Domains section > DNS Zone Editor. Click on the Manage button for your desired domain.
  • In the form that appears, enter the following details and click on the +Add Record button:
  • In the Host field, type _dmarc.
  • From the Type drop-down list, select TXT.
  • In the TXT Value field, enter the record sent to you by email or generated using EmailAuths DMARC Generator.
  • You have now successfully added the record!

    Check the published DMARC record using EmailAuths DMARC validator. It may take anywhere between 24 to 72 hours for the record to reflect in your DNS.

    Publish A Dmarc Record With Your Dns Registrar Then Monitor The Results

    Within your DNS registrar, you’ll need to create a TXT resource record that receivers can use to determine your DMARC preferences. This is done within the DNS registrar of the domain hostlikely the same place you created the DNS records for the authenticated domain. This record is made at the root level for the domain, not the subdomain.

    A simple DMARC record


    For details about DMARC records, see the DMARC Records section of Everything about DMARC where you’ll find detailed explanations of every tag in a DMARC record.

    Always start out using the p=none policy. You can move to p=quarantine or p=reject when you better understand your sending reputation.

    Lets Start With Explaining What The Dmarc Protocol Is

    DMARC stands for Domain-based Message Authentication, Reporting and Conformance.

    It is a protocol that was built in addition to the existing protocols SPF and DKIM. It was designed to protect the domain part of your email address from being used in spoofing or phishing attacks.

    For example, in the bolder part is the domain.

    Authentication in DMARC is achieved by implementing SPF and DKIM for each and every legitimate service sending emails using your domain. For example, if your business uses G Suite, Mimecast, Salesforce and Mailchimp, you will need to set up SPF and DKIM for all of these services. But, DMARC needs to be implemented first in order to gain visibility into all the services that are using your domain.

    DMARC provides reporting functionality, which means that by publishing the DMARC record in your DNS, you will start receiving reports showing how your domain is being used and by who around the world. These DMARC reports are sent by the recipients of any emails that use your domain or subdomain as the sending address.

    Recommended Reading: How Do I Get A Domain Name For My Website

    Setting Up The Dmarc Record

    Go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following:



    • v=DMARC1: The protocol version is DMARC1.
    • p=none: We choose none as the policy for our domain.
    • pct=100: The percentage of emails from your domain DMARC applies to
    • rua stands for reporting URI for aggregate report. The email address is used to tell receiving email servers where report should be sent. Replace with your real email address that is used to receive aggregate DMARC report.

    There are 3 policies you can choose from:

    • none: tells receiving email servers not to do anything special if DMARC check fails.
    • quarantine: tells receiving email server to put the email into spam folder if DMARC check fails.
    • reject: tells receiving email servers to reject the email if DMARC check fails

    p=none is a good start. You should analyze the data for some time. Once you have enough data, you can change the policy from none to quarantine or reject.

    Theres another tag that you can add to the DMARC record: fo. It has four possible values.

    • 0 : generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result
    • 1: generate reports if any mechanisms fail.
    • d: generate a report if DKIM signature failed verification.
    • s: generate a report if SPF failed

    I recommend using fo=1 first to generate more comprehensive DMARC failure reports. When you change to a more restrictive policy, use fo=0.

    # dig txt +short

    How To Interpret Dmarc Report


    There are two kinds of DMARC reports.

    • Daily XML-based aggregate report generated by Gmail, Yahoo, Hotmail, etc.
    • Real-time forensic reports

    Normally you only want to receive the aggregate report. The data that DMARC produces is invaluable for understanding what is going on for any given email domain. However, raw DMARC report data is super hard to read and understand. Luckily, Postmark offers a free service to process these reports, presents you a much more readable report. The nice part about Postmark is that you can tell receiving email servers to send XML reports directly to Postmark for processing. So instead of entering your email address in the DMARC record, you enter an email address of that is unique to you.


    You can also specify multiple email addresses, separated by commas.


    After your DMARC record has been verified by Postmark, you will receive a DMARC report weekly every Monday in your email inbox. You dont need to register an account at Postmark.

    To better understand the unknown source and how your domains are used, you can choose to receive forensic report by adding the ruf tag in DMARC record like below.


    You May Like: How Much To Purchase A Domain Name

    Best Practices For Implementing Dmarc In Microsoft 365

    You can implement DMARC gradually without impacting the rest of your mail flow. Create and implement a roll-out plan that follows these steps. Do each of these steps first with a sub-domain, then other sub-domains, and finally with the top-level domain in your organization before moving on to the next step.

  • Monitor the impact of implementing DMARC

    Start with a simple monitoring-mode record for a sub-domain or domain that requests that DMARC receivers send you statistics about messages that they see using that domain. A monitoring-mode record is a DMARC TXT record that has its policy set to none . Many companies publish a DMARC TXT record with p=none because they are unsure about how much email they may lose by publishing a more restrictive DMARC policy.

    You can do this even before you’ve implemented SPF or DKIM in your messaging infrastructure. However, you won’t be able to effectively quarantine or reject mail by using DMARC until you also implement SPF and DKIM. As you introduce SPF and DKIM, the reports generated through DMARC will provide the numbers and sources of messages that pass these checks, and those that don’t. You can easily see how much of your legitimate traffic is or isn’t covered by them, and troubleshoot any problems. You’ll also begin to see how many fraudulent messages are being sent, and from where.

  • How To Set Up A Dmarc Record For Your Domain

    In the past DMARC used to be optional part of your domain’s settings.

    However spam filters are continuing to get more strict as mail providers attempt to limit spam. Many major email providers have started to deliver emails from domains without a DMARC record directly to spam.

    DMARC is now a critical element of your domain settings and we recommend setting up your DMARC record to make sure your emails are not ending up in your recipient’s spam folder.

    You can check to see if your DMARC record is set up correctly by checking your Domain health on a tool like MX Toolbox.

    Here’s how to get that set up:

    Also Check: How To Access Google Domain

    Add A Dmarc Record Using Our Example

    Now were going to edit the DNS for your domain and add a DMARC record.

    DNS is a set of instructions that tell servers where to find your site content, email mailbox, and more. To edit your DNS, you need to log in to the provider handling the DNS zone for your domain.

    If youre not sure where it is, you can try:

    • Your web hosting control panel: If you purchased your domain and hosting as a package, your DNS is probably handled by your web hosting company. Youll want to log into your hosting control panel and look for a menu called DNS or DNS Zone.
    • Your DNS registrar: If you purchased your domain by itself, the DNS is probably managed by the company you bought it from.
    • Your CDN provider: If youre using a CDN like Cloudflare, your DNS records will be hosted within the CDN settings.

    In this example, well show you how to create a DMARC record in Cloudflare.

    The steps are very similar for other domain registrars or hosts, including:

    When you open up your DNS, double-check that you dont already have any DMARC records set up.

    You cant have more than 1 DMARC record in your DNS. But dont worry: our example record will cover all of the subdomains under your domain, and all of the email addresses you send mail from.

    Assuming you dont, lets move on and add a DMARC TXT record.

    Godaddy Dmarc Setup In 3 Simple Steps

    How to Enable DMARC for G Suite or Google Workspace | Set up a DNS record DMARC for Google.
  • Sign in to your GoDaddy account. Navigate to the My Products tab and locate the domain you wish to add the DMARC record to. Click on the DNS button next to it.
  • In the DNS Management window, click on the add button in the records section.
  • In the subsequent form, enter the following details before clicking Save:
  • From the Type drop-down list, select TXT
  • In the Host field, enter _dmarc
  • In the Value TXT field, enter the record sent to you by email or generated using EmailAuths DMARC Generator.
  • You have now successfully added the record!

    Check the published DMARC record using EmailAuths DMARC validator. It may take anywhere between 24 to 72 hours for the record to reflect in your DNS.

    Recommended Reading: What Is A Domain Name For

    Add Dmarc Record To Your Domains Dns

    Once you have your record, you can go ahead and add it as a DNS Record. You may be able to do it on your own or, in some cases, with the help of your hosting provider.

    In the domain registrar, you need to add the newly-created DMARC as a TXT record. We wont go through any details here as the process differs for each provider. If you did everything correctly, though, you should receive your first reports within the next 24 hours.

    Taking Dmarc To Scale

    Setting up DMARC in DNS only takes a few minutes. But to be effective against brand impersonation, DMARC must be set to its highest enforcement level, p=reject. And while this is relatively straightforward when youre talking about a single domain, it can be complicated and time consuming for organizations with thousands of domains spanning dozens of email senders and outside email distribution partners.

    However, when deployed using automated DMARC implementation solutions such as Agari Brand Protection, large organizations have been able to rapidly drive phishing-based brand impersonations to near zero. Not only does this preserve brand reputation and the efficacy of revenue generating email programs, it also protects employees, customers, partners and the general public from costly email scams.

    For more information on DMARC adoption and its benefits, download Getting Started with DMARC from Agari.

    Recommended Reading: Who Is My Domain Hosting Provider

    Frequently Asked Questions About Dmarc

    Now you know how to create a DMARC record, lets look at some other important questions.

    Lets start looking at the answers to these DMARC questions.

    What Does DMARC Stand For?

    DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.

    How Does DMARC Work?

    The DMARC protocol checks the SPF and DKIM records for your domain. If the email server cant find any SPF or DKIM records, it looks at DMARC to figure out what to do with the outbound mail.

    Based on the content of the DMARC record, the server might:

    • Quarantine your emails
    • Send them to the junk or spam folder
    • Reject them altogether.

    Thats why its best to set up DKIM, SPF, and DMARC together. That way, the email server can easily separate emails from a legitimate sender from any spam messages that are sent using your domain.

    DMARC has other functions too. For example, it generates technical reports about the actions its taken. You might receive these reports if you use your email address in the DMARC rule.

    In most cases, you dont need to worry about DMARC reports unless you have other issues with spam or email deliverability.

    Who Can Use DMARC Records?

    Anyone who owns a domain name can use DMARC to verify that the emails they send are genuine. There is no charge to use it.

    Some third-party providers will say that it isnt worth using DMARC on a small site. But we always recommend that you set up DMARC anyway because it helps to stop WordPress emails from going to spam.

    Should I Add a PTR Record?

    Deploy Dmarc Record In Other Dns Server

    Authentication Blog Series: Part 3  DMARC

    If your domain is hosted by other ISP, as most ISP provide DNS Web administration to set up DMARC record. If you are not DNS server administrator, or your domain is hosted by other DNS server, please send the information in Record Name and Record Value to your domain DNS server administrator for assistant.

    If you have any problem in DomainKeys/DKIM/SPF/DMARC record implementation, please contact.

    See Also

    Recommended Reading: What Domain Name Should I Use

    How To Add Dmarc Record In Cpanel: Cpanel Dmarc Setup Guide

    This post provides step-by-step instructions on how to add a DMARC record in cPanel.

    About DMARC records

    First of all, a DMARC record is a TXT record published to the DNS for your domain, under, where is your actual domain or subdomain. It tells the email receiver what to do when an email message fails DMARC authentication, and also where to send reports on email delivery statistics.

    For more information on DMARC records, refer to: Everything about a DMARC Record.

    Generate your DMARC record

    Before moving on, make sure you have generated your DMARC record, using our free DMARC record generator.

    Publish the DMARC record in cPanel

    Now the record is ready, follow the steps below to publish it!

    1. Log in to cPanel

    Go to your cPanel portal, enter your credentials to log in to its dashboard.

    2. Locate your domain

    Navigate to Domains, then click Advanced DNS Zone Editor:

    Then click the Manage button of the domain of your choice:

    3. Create the record entry

    Create a TXT entry on your domain with these settings:

    Type: TXTHost: _dmarcTXT Value: TTL: 1 hour

    Make sure the record type is TXT, host is set to _dmarc, value is set to the record generated above. Click the Add Record button to save the settings. Now you have added the record!

    4. Check the published DMARC record

    That’s how you add a DMARC record in cPanel.

    Why You Should Deploy Dmarc

    Deploying DMARC for your email systems is a powerful way to help prevent malicious entities from potentially spoofing or otherwise tarnishing your reputation as a trustworthy email sender. DMARC isn’t for everyone. If you own a small domain, you’re probably OK without it. If you have ever had problems with phishing, or if you operate a finance-related business, implementing DMARC may be a good decision.

    DMARC, in conjunction with a dedicated IP , is a great start to getting industry-supported peace of mind.

    Twilio SendGrid now offers additional DMARC enforcement and monitoring options in partership with Valimail. Click here for more information.

    Recommended Reading: How To Get Net Domain For Free

    More articles

    Popular Articles