DMARC

Created: 2024-02-19, Updated: 2024-02-25

Warning

The example.com occurrence in the following content should be replaced with your own domain.

To prevent others sending spoofed email on my behalf, a strict DMARC rule should be imposed. What's more, popular email providers will check your DMARC record when you host your custom domain email on them.

Use rua to tell others deliver DMARC reports to your own mailbox. For domains without a mailbox, use Cloudflare DMARC monitor. You can do both by adding commas between them. Like:

rua=mailto:[email protected], mailto:[email protected]

change p=none to p=reject to tell email recipients reject the mail when validation fails, and append ; sp=reject; adkim=s; aspf=s; pct=100 at the end to enforce a strict aligning of DKIM and SPF validation on all emails from the domain and its subdomain, like:

v=DMARC1; p=reject; rua=mailto:<RANDOM_SHA1>@dmarc-reports.cloudflare.net; sp=reject; adkim=s; aspf=s; pct=100

Add it to the TXT Record of _dmarc.example.com.

DMARC works only when SPF and DKIM are set correctly.

For example, when you are NOT using your domain for emails, you can set up SPF and DKIM rules as shown below, so that email recipients will reject the email:

SPF: v=spf1 -all DKIM: v=DKIM1; p=.

Tip

When sp=reject; is added, the settings apply to subdomains too. But of course you can impose different rule on some subdomains, use _dmarc.sub.example.com, for example. And some email providers will ask for a dedicated record for the subdomain.