A DMARC record is where DMARC rulesets are defined. It is a security protocol that will prevent fraudulent entities from misusing your domain to send emails. This record informs Internet service providers whether a domain is set up to use DMARC. DMARC record generator tool KDMARC helps in setting up these records that contain DMARC policies and should be placed within your DNS.
In the beginning, organizations often face confusion in following instructions that are meant for setting up records. This can include issues related to syntax and content. One of the most frequent mistakes is the improper use of wildcard domain name system entries. With the help of this tool, DMARC records can be set appropriately for your email domain. These entries can return both non-DMARC and DMARC records (including DKIM keys and SPF records). These records are stored in the form of a TXT record with ‘_dmarc’.
DMARC tags help email receivers to check for DMARC and handle messages that fail the DMARC authentication. Following are the tags that are used in the TXT record.
v: This tag identifies the record that has been retrieved as a DMARC record. This tag must be first listed in DMARC record and its value must be DMARC1.
p: ‘p’ tag indicates that the requested policy that your mailbox providers should apply when an email fails the DMARC authentication and alignment checks.
With DMARC record generator and analyser tool KDMARC, these policies can be appropriately set for your email domain. Let’s take a detailed look at these policies.
rua: mailto:email@example.com: This tag allows mailbox providers to know where exactly you want the aggregate reports to be sent. These reports contain higher-level information and help in identifying potential authentication issues or malicious activities that can harm the email domain.
fo: This helps the mailbox provider know that you want the samples of emails that have either failed both SPF and DKIM checks or anyone of the two. There are four value options available:
sp: This indicates a requested policy for all subdomains when an email fails the DMARC authentication and alignment checks. This tag is very effective when the domain owner wants to specify different policies for primary domain and subdomains. In case this tag is not used for
subdomains, the policy that has been set using the p tag will apply to the primary domain and its subdomains.
dkim: This tag indicates either a strict or relaxed DKIM identifier alignment. The relaxed alignment is set as default.
spf: It indicates either strict or relaxed SPF identifier alignment. The default alignment is relaxed.
pct: This tag allows the gradual implementation of the policy and to test its impact.
ruf: mailto:firstname.lastname@example.org: It allows mailbox providers to know where you want your forensic reports to be delivered. These reports are detailed and are to be delivered almost immediately once DMARC authentication failure has been detected. However, most of the mailbox providers do not send them due to privacy and performance concerns.
rf: It provides a format for forensic reports.
ri: The ri tag corresponds to the aggregate reporting interval and provides DMARC feedback for outlined criteria. Participating mailbox providers that can send more than one aggregate report in a day will provide more frequent reports.
With DMARC record generator and analyzer tool KDMARC, organizations can ensure that the DMARC record is properly set up for their email domain as well as a check DMARC record. This will ensure that any attempt to misuse the domain is effectively prevented.