Spammers can forge the “From” address on email messages to make them appear as though they originate from your domain. When spammers use your domain to send junk email, it negatively affects your domain’s reputation. People who receive these fraudulent emails may mark them as spam, which can impact the delivery and perception of legitimate messages sent from your domain.
To combat this, Gmail and other email services support Domain-based Message Authentication, Reporting, and Conformance (DMARC). DMARC allows domain owners to define a policy for handling suspicious emails that appear to come from their domain.
What is DMARC?
DMARC, or “Domain-based Message Authentication, Reporting & Conformance,” is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) protocols, adding an extra layer of protection. DMARC ensures that the “From” domain in the email matches the sending server’s domain and provides policies on how to handle authentication failures.
How DMARC Works
DMARC helps email senders and receivers verify messages and establish a policy for dealing with suspicious ones. If an incoming email fails SPF or DKIM checks, DMARC will define what happens. Here are the common actions DMARC can enforce:
- Take no action (log the suspicious message for further review).
- Mark the message as spam (quarantine it).
- Reject the message entirely, so it doesn’t reach the recipient.
Set Up DMARC After SPF and DKIM
To set up DMARC, we recommend first implementing SPF and DKIM. These protocols help verify whether a message comes from an authorised server. If a message fails SPF or DKIM checks, DMARC can step in to define further actions.
DMARC and Third-Party Email Providers
If your organization uses third-party email providers, DMARC can sometimes flag those messages as suspicious if they are not correctly authenticated. To avoid this issue, you can:
- Share your DKIM key with the third-party provider so they can sign outgoing messages with it.
- Ask the provider to send emails through your domain’s authorized servers.
DMARC Filtering Examples
For more detailed examples of how DMARC handles email filtering, you can review the SPF and DKIM sections of the DMARC specification.
Tips for Using DMARC
Here are some tips to help you implement DMARC more effectively:
- Set up DMARC to send daily reports, detailing how often messages from your domain pass or fail authentication checks.
- Adjust your DMARC policy based on report findings. For instance, if valid emails are consistently authenticated, you can move from a “monitor” policy (p=none) to “quarantine” or even “reject.”
- Your DMARC policy can be strict or relaxed, depending on your needs. High-profile companies like PayPal and eBay enforce strict authentication requirements, rejecting any unauthenticated messages.
- Gmail and other email services will handle the DMARC check for recipients, so no additional action is required on their part.
Start Using DMARC
If you’re ready to protect your domain, start by following Google’s guide on adding a DMARC record to your DNS settings.
Add a DMARC Record
To set up DMARC for your domain, follow these steps to create a TXT record. DMARC policies determine how your domain handles suspicious emails by using specific tags within the DNS record.
Set Up SPF and DKIM First
Ensure you have SPF and DKIM configured before adding a DMARC record, as DMARC builds on these authentication methods.
Example DMARC TXT Records
Here are some example DMARC records you can modify for your domain:
- Take no action:
"v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com"
- Quarantine suspicious messages:
"v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com"
- Reject unauthorized messages:
"v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com, mailto:dmarc@your_domain.com"
For more detailed steps on how to create and deploy DMARC records, check out the full documentation on Google’s Support Page.
How to Implement a DMARC Record in cPanel
Here’s a step-by-step guide to help you implement a DMARC (Domain-based Message Authentication, Reporting, and Conformance) record in cPanel:
Step 1: Log in to cPanel
- Navigate to your hosting provider’s login page and enter your username and password to access cPanel.
Step 2: Access Zone Editor
- Once logged in, scroll down to the Domains section.
- Click on Zone Editor.
Step 3: Find Your Domain
- In the Zone Editor, locate the domain where you want to implement the DMARC record.
- Click the Manage button next to the domain name.
Step 4: Add a DMARC Record
- Click on the Add Record button at the top-right corner.
- Select Add “TXT” Record.
Step 5: Input the DMARC Record
- Name/Host: Enter
_dmarc.yourdomain.com
(replace “yourdomain.com” with your actual domain). - TTL: Set the Time to Live (TTL) to 14400 (default is usually fine).
- Type: Make sure it’s set to TXT.
- Record: Input your DMARC policy here. A basic DMARC policy looks like this:
v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com; ruf=mailto:forensic@yourdomain.com; pct=100
- p=none: This means no action will be taken on suspicious emails (for monitoring purposes). Change it to
p=quarantine
orp=reject
when ready to take action on suspicious emails. - rua=mailto:postmaster@yourdomain.com: This specifies where to send aggregate reports (replace with your email address).
- ruf=mailto:forensic@yourdomain.com: This specifies where to send forensic reports (optional).
- pct=100: This applies the policy to 100% of your email traffic. You can adjust this number as needed.
Step 6: Save the Record
- After entering the details, click Add Record or Save.
Step 7: Verify Your DMARC Record
- Wait for DNS propagation (which can take up to 48 hours).
- Use an online DMARC checker tool, such as MXToolbox DMARC Checker, to verify that your DMARC record has been added correctly.
By following these steps, you will have successfully added a DMARC record to your domain via cPanel!
Related Articles
For more information on email security, check out these articles:
- Control Unauthenticated Mail from Your Domain
- Email Authentication
- SPF Records
- Authenticate Email with DKIM
Handy Links for DMARC Setup
These resources can help you set up and validate your DMARC, SPF, and DKIM records:
- DMARC Record Generator
- DMARC Checker
- Check MX, SPF, DKIM Records (Google-specific)
- DMARCian — an excellent tool for verifying correct DMARC setup and viewing reports on mail processing and failures