Bastify | Hosting, domain registry, vps, mail and SSL

The importance of DMARC for the domain

Bussiness 24 Jan, 2021

At Bastify, we are implementing the DMARC policy in our clients, which we consider essential for improving the domain&;#39;s email and reputation.

DMARC stands for “Domain-Based Message Authentication, Reporting, and Conformance.” DMARC is a protocol that uses the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to determine the authenticity of an email message. DMARC requires that SPF and DKIM fail before you can act on a message.

Your DMARC record is published along with your records DNS, including:

  • SPF
  • A-record
  • DKIM

Unlike SPF and DKIM, a properly configured DMARC policy can tell the receiving server whether or not to accept an email from a particular sender. It&;#39;s important to note that not all receiving servers will perform a DMARC check before accepting a message, but all major ISPs do and their implementation is growing.

DMARC Benefits

  1. Publishing a record DMARC protects your brand by preventing unauthenticated third parties from sending mail from your domain. In some cases, simply publishing a DMARC record can result in a positive reputation boost.
  2. Consuming DMARC reports increases the visibility of your mail program by letting you know who is sending mail from your domain.
  3. DMARC helps the email community establish a consistent policy for dealing with messages that are not they authenticate. This helps the email ecosystem as a whole become more secure and reliable.

What does a DMARC record look like?

You can see what a DMARC record looks like by typing on your terminal. You can also go to to view the DMARC record for any domain if they have one published.

Here is an example DMARC record: This is the SendGrid DMARC record:

v = DMARC1 \; p = none \; rua = \; ruf = \; rf = afrf \; pct = 100

Let&;#39;s analyze a DMARC record

“V = DMARC1” This is the identifier that the receiving server looks for when it scans the DNS record for the domain from which it received the message. If the domain does not have a txt record starting with v=DMARC1, the receiving server will not run a DMARC check.

“P = none” This part tells the receiving server what to do with messages that fail DMARC. In this case, the policy is set to "none". This means that the receiving server will take no action if a DMARC message fails. This can still be valuable to a sender, because DMARC sends reports that alert the domain administrator of any DMARC failures.

«P = none» is generally a recommended first step in implementing a policy that will eliminate unauthorized mail. Most people are surprised to find out how many different people/groups/organizations are sending mail (legitimate or not) on behalf of their domain. Other options for the p= field are "quarantine" and "reject". » quarantine » will set messages aside for further processing; In most cases, this means it will be sent to the spam folder. “Reject” will stop messages directly.

“Rua = mailto: ” This part tells the receiving server where to send aggregated DMARC failure reports. These aggregated reports are sent daily to the administrator of the domain to which the DMARC record belongs. They include high-level information about DMARC failures, but do not provide granular details about each incident. It can be any email address you choose.

“Ruf = mailto: dmarc@sendgrid .com” This part tells the receiving server where to send DMARC forensic crash reports. These forensic reports are sent in real time to the administrator of the domain to which the DMARC record belongs. These forensic reports contain details about each individual failure. This email address must be from the domain for which the DMARC record is published.

“Rf = afrf” This part tells the receiving server what type of report the policyholder wants. rf means report format. In this case, rf = afrf means added crash report format.

«Pct = 100» This part tells the receiving server how much of its mail should be subject to the DMARC policy specifications. In this case, if p = was set to reject, 100% of the mail that failed DMARC would be rejected.

There are several other mechanisms that can be included in a DMARC record. Here are a few:

“Sp =” This part would tell the receiving server whether or not to apply the DMARC policy to subdomains.

«Adkim =» Sets the DKIM alignment. It can be set to "s" for strict or "r" for relax. Strict means that the DKIM portion of the DMARC authentication will only pass if the d= field in the DKIM signature EXACTLY matches the from domain. If set to relaxed, messages will pass the DKIM portion of DMARC authentication if the DKIM d= field matches the root domain of the source address.

«Ri =» This sets the interval for how often you want to receive aggregated failure reports from DMARC.

AAs DMARC implementations spread, so will DMARC failures. Some applications and/or web have features that allow a user to send an email to themselves or a friend. Often, the website or app sends these emails from the user&;#39;s email address ( Due to Yahoo&;#39;s DMARC policy, these messages will be rejected by any receiving server that performs a DMARC check. The same DMARC failure will occur if an unauthorized user attempts to send mail for any domain that publishes a DMARC record with a p = "reject".

If you do not have DMARC policy on your domain, please contact us.

Subscribe now to Our Newsletter
and get the Coupon code.

All your information is completely confidential

We're in touch!

We are delighted to hear from you


+ 34 900 433 204



Modesto Lafuente 25

España(Madrid), 2803