Zimbabwe and regional technology news and updates


What is a DMARC policy, and why should I set it up anyway?

What to do?

Over the past several weeks we have been looking at how you can set up your own email server and some of the things you need to do if you want to enhance your email experience as a startup and to make sure your emails reach their intended inboxes.

We have looked at how you can set up an SPF record as well as how you can set up DKIM signing and verification. In addition, we have also looked at how you can set up your server to use TLS encryption using free certificates from StartSSL.

Today we will be looking at how you can set up a DMARC record.

Just what the heck is a DMARC record?

It is an acronym which expands to:“Domain-based Message Authentication, Reporting & Conformance”. The term was created by a group of stakeholder organisations such as Google and Yahoo! to help solve the email spam problem. DMARC provides the sender with a way to instruct receiving MTAs on the sender’s preferred spam policy.

As has already been established anyone can forge your email headers and pretend to be you. Setting up an SPF and DKIM signing on your email server makes it nigh impossible for spammers to do this credibly. DMARC would allow you, for example, to tell servers receiving your emails what to do when they receive emails purporting to be from you that fail either SPF or DKIM checks.

Should they reject such emails outright or should they just mark such messages as spam and receive them anyway. You can even tell receiving servers to just accept these offending messages anyway, although only God knows why you would want to do this.


Before you can set up a DMARC policy record you will need three things:

  • A working SPF record for the domain you want to set up the DMARC record for. If you have not yet done so you can follow an earlier guide here. I should warn you, for a DMARC record to make any sense at all you need at least a “~all” and preferably a “-all” directive in your SPF record otherwise there will be no point of even setting up the DMARC policy. It would be like putting up fencing poles without the fence.
  • DKIM should be set up and working. See an earlier guide here.
  • An email address. Preferably two: one for the domain that you are creating the DMARC record for and one from another domain to receive the DMARC reports.

Setting up the record

Below is a DMARC policy that would be adequate for most people.

v=DMARC1; p=quarantine;;; adkim=s; aspf=s; pct=100

All you need to do is to change to your actual email address. This email address’s domain should match the domain for which you are setting up the DMARC record. The second address can be any other email address that you have. You should note however that the second email address should also have a DMARC record set up for its domain. This is not a big deal if it’s a Yahoo!, Hotmail or Gmail address as these companies have already set up their relevant DMARC policy records.

Now let us look at what each one of these directives means:

  • v-specifies the version of DMARC in use. Currently, this should always be set to DMARC1
  • p-this tells the receiving server what to do with emails that fail to meet the specifications of the policy. The directive can be set to: none which means no action is taken. This is useful if you want to receive reports on how your domain name is being used e.g. how many emails have been sent to Gmail addresses using your domain. The policy can also be set to quarantine this may mean messages that fail checks are marked as spam or subjected to further checks. Setting the policy to reject results in messages being rejected. You should only use this option if you have correctly set up your SPF and DKIM records otherwise legitimate emails may be rejected by receiving servers. As always these directives are treated as advice by receiving servers which may or may not follow your policies.
  • rua-is the email address where aggregate reports are sent. These are summary reports of emails send in your names and related statistics.
  • ruf-is the email address where forensic(detailed) reports are sent. These reports are typically more in-depth than typical rua reports although sometimes they tend to be the same with rua reports.
  • adkim-is the alignment mode for DKIM i.e. it tells receiving servers what to do if an email fails DKIM checks. This can be set to strict i.e. which means all emails failing DKIM checks are treated as having failed their checks and should be treated according to the policy set above. It could also be set to for relaxed.
  • aspf-this is the SPF alignment policy and tells the receiving servers what to do when an email fails SPF checks. Like with the adkim part, it can be set to strict or relaxed.
  • pct-tells the receiving servers what percentage of your messages you want to be subjected to be checked for compliance with your DMARC policy. Unless you are testing something you should always set this to 100 or just leave it out altogether as the default is 100.

NB setting both the adkim and aspf to relaxed is the equivalent of setting p to none as all messages will be accepted as per your directive. It’s the equivalent of having no DKIM and SPF record as both are only checked. You should set either of these directives or all of them to strict.

To create your own record you can use the wizard provided here. You will note that there are other directives that we have purposefully ignored for example you can set up the formats of the reports and report intervals. The default is one report every 86400 seconds (one day). You can set this to one week (604800 seconds) or whatever the heck you want even one year (3.156e+7).

Once you have created the necessary directives you can set up your DMARC record by creating a TXT record for the sub domain and paste everything including the quotes into the value section.The record starts with an underscore.

Reading DMARC reports

DMARC reports are usually zipped and in XML format. To read them easily you can upload the zipped folders to this page and have them converted into human-friendly format.
Image credit:

Quick NetOne, Econet, And Telecel Airtime Recharge