This document explains what an DMARC record is, why you might want one, and how to create one.

What is DMARC?

DMARC ("Domain-based Message Authentication, Reporting & Conformance") is a set of rules that email providers can use to determine what to do with emails that fail your SPF and/or DKIM checks, and who to report the results to.

Why might I want a DMARC record?

Some email providers, notably Google, may penalize your domain for not having a DMARC record, and may be more likely to treat emails from you as spam if you don't have one. Creating a DMARC record can also provide you with feedback about who is sending emails using your domain name, legitimately or otherwise.

How do I create a DMARC record?

Note that these instructions will only work if you are using Hurricane Electric for DNS and already have SPF and/or DKIM set up.

1. Log into admin.he.net.
2. Choose or create an email address at your own domain to which you want to have reports sent to you about SPF and DKIM failures (when someone tries to send an email that looks like it came from your domain, but was in fact sent from an unauthorized source).
3. Click on your domain name under "Active Domains For This Account".
4. Click on the tab at the top that says, "New TXT".
5. In the "Name" field, enter "_dmarc". Note the underscore at the beginning, which is required.
6. In the "Text string" field, enter your DMARC record.

• This will set your DMARC policy to "reject" which means that emails that do not pass SPF/DKIM validation should be rejected by recipient mail servers, and not delivered at all:

v=DMARC1; p=reject

• This will set your DMARC policy to "quarantine" which means that emails that do not pass SPF/DKIM validation would likely end up in a "Junk" or "Spam" folder:

v=DMARC1; p=quarantine

• You can also enable DMARC reporting if you would like to receive DMARC reports to see if emails are passing validation checks or not:

v=DMARC1; p=quarantine; rua=mailto:dmarcreports@example.com

Instead of "dmarcreports@example.com", use the email address you chose in Step 2.

• If you want to only receive reports but not apply a "reject" or "quarantine" policy, you can set policy to "none" (p=none) and set the "rua" to the email address you created for collecting the reports.

• If you want to apply your chosen policy to only a percentage of emails, but not all emails, you can set the percentage using "pct=" like "pct=10" if you want only 10% of the emails to get processed.

• The "pct" instructs the receiving email server to check 10% of emails from your domain to see if they match your SPF and/or DKIM restrictions, and to apply the policy you set, and if you set "rua" to send reports to an email address, they will also notify you if emails fail the SPF/DKIM checks.

• You can adjust the percentage of emails to process by increasing or decreasing the number after the "pct=" part of the record. If you do not include "pct" then the DMARC will apply to 100% of emails.

• If you want to reduce the risk of people receiving spoofed emails appearing to come from your domain, "p=quarantine" (send to the Spam/Junk folder) or "p=reject" (do not accept the email at all) should be used instead of "p=none" and if you use "pct" you should do not set "pct=0" as that would cause 0% of emails to be processed.

You can find more information, including more options you can add to fine-tune DMARC's behavior and what kinds of reports you get, at https://dmarc.org/overview/.

How do I create a DKIM record?

DKIM requires that some work be done at Hurricane Electric's end, so please send an email to support@he.net asking for a DKIM record, and we'll set one up for you.