What does a DMARC record look like?
You can see what a DMARC record looks like by typing on your terminal. You can also go to https://dmarcian.com/dmarc-inspector/ to view the DMARC record for any domain if they have one published.
Here is an example DMARC record: This is the SendGrid DMARC record:
v = DMARC1 \; p = none \; rua = mailto:email@example.com \; ruf = mailto:firstname.lastname@example.org \; rf = afrf \; pct = 100
Let&;#39;s analyze a DMARC record
“V = DMARC1” This is the identifier that the receiving server looks for when it scans the DNS record for the domain from which it received the message. If the domain does not have a txt record starting with v=DMARC1, the receiving server will not run a DMARC check.
“P = none” This part tells the receiving server what to do with messages that fail DMARC. In this case, the policy is set to "none". This means that the receiving server will take no action if a DMARC message fails. This can still be valuable to a sender, because DMARC sends reports that alert the domain administrator of any DMARC failures.
«P = none» is generally a recommended first step in implementing a policy that will eliminate unauthorized mail. Most people are surprised to find out how many different people/groups/organizations are sending mail (legitimate or not) on behalf of their domain. Other options for the p= field are "quarantine" and "reject". » quarantine » will set messages aside for further processing; In most cases, this means it will be sent to the spam folder. “Reject” will stop messages directly.
“Rua = mailto: email@example.com ” This part tells the receiving server where to send aggregated DMARC failure reports. These aggregated reports are sent daily to the administrator of the domain to which the DMARC record belongs. They include high-level information about DMARC failures, but do not provide granular details about each incident. It can be any email address you choose.
“Ruf = mailto: dmarc@sendgrid .com” This part tells the receiving server where to send DMARC forensic crash reports. These forensic reports are sent in real time to the administrator of the domain to which the DMARC record belongs. These forensic reports contain details about each individual failure. This email address must be from the domain for which the DMARC record is published.
“Rf = afrf” This part tells the receiving server what type of report the policyholder wants. rf means report format. In this case, rf = afrf means added crash report format.
«Pct = 100» This part tells the receiving server how much of its mail should be subject to the DMARC policy specifications. In this case, if p = was set to reject, 100% of the mail that failed DMARC would be rejected.
There are several other mechanisms that can be included in a DMARC record. Here are a few:
“Sp =” This part would tell the receiving server whether or not to apply the DMARC policy to subdomains.
«Adkim =» Sets the DKIM alignment. It can be set to "s" for strict or "r" for relax. Strict means that the DKIM portion of the DMARC authentication will only pass if the d= field in the DKIM signature EXACTLY matches the from domain. If set to relaxed, messages will pass the DKIM portion of DMARC authentication if the DKIM d= field matches the root domain of the source address.
«Ri =» This sets the interval for how often you want to receive aggregated failure reports from DMARC.