Understanding DMARC DNS Records: A Simple Guide for Everyone


Imagine someone (pretending to be you or someone in your company) sends a fake bill to your customers, tricking them into paying money for a job you never did. Or they might send an email asking your customers to click on a link that leads to a website with a harmful virus that can mess up their computers.

Think of it like this: A con artist convinces your customers they need to pay for some urgent work you supposedly did. Since the message looks like it’s coming from you, your customers might believe it’s real and end up falling into the trap.

In trying to make the payment, they’re directed to a fake website that looks a lot like a legitimate payment site. But as soon as they try to pay, the fake site steals their credit card details or other personal information.

This kind of trickery is more than just annoying; it can lead to serious problems, like your customers losing their hard-earned money to these frauds or having their personal information stolen. It’s a sneaky way for scammers to take advantage of the trust you’ve built with your customers.

You need to protect your domain with DMARC!
It’s free, but it can be complicated and confusing.


Let’s break DMARC down in simple terms…

1. What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It’s a fancy way of saying it’s a set of instructions for your email that helps prevent spam and phishing attacks. It’s like a bouncer at a club, checking IDs before letting anyone in.

2. Why DMARC Matters

If you’ve ever received a sketchy email pretending to be from a bank or a known company, that’s exactly what DMARC aims to stop. It helps to make sure that the emails you send and receive are genuine and not someone trying to impersonate someone else.

3. How DMARC Works

DMARC uses two other email authentication methods, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to verify if an email is legitimate. You can think of SPF as a guest list and DKIM as a secret handshake. DMARC then tells email providers what to do if an email doesn’t pass these checks—like rejecting the email or putting it in the spam folder.

4. Setting Up DMARC

Setting up DMARC involves adding a record to your DNS (Domain Name System), which is essentially the internet’s phonebook. It’s a line of text that looks a bit technical but follows a simple format to instruct email providers on how to handle your emails based on the SPF and DKIM tests.

Deciding Your Domain’s DMARC Policy

Your DMARC policy can tell email providers to do nothing (monitor), quarantine suspicious emails (treat them as spam), or reject them outright. The choice depends on how cautious you want to be with your email security. Starting with a monitoring policy is a good way to see what’s happening without affecting your regular emails.


In a nutshell, DMARC DNS records are like adding a security system to your email. They help ensure that the emails you send and receive are trustworthy, reducing the risk of spam and phishing attacks. For anyone running a business, big or small, setting up DMARC is a step towards protecting your brand and your customers. Think of it as an investment in your digital safety.

Remember, you don’t have to be a tech wizard to set up DMARC. Just like you don’t need to know how to build a car to drive one, you don’t need to understand all the technicalities to use DMARC. Your web host or a digital security expert can help you set it up, ensuring your email’s integrity and your peace of mind.

Actual Records and What They Do:

Type of Record: TXT

Name: _dmarc

Content: v=DMARC1; p=none; rua=mailto:[email protected];

The “Content” Portion Broken Down and Explained:

v=DMARC1: This is just validation that it is a DMARC record.

p=none; This is the action. Options are (none, quarantine or reject)

rua=mailto: This is simply where/who to send the daily reports of events revolving around the DMARC actions. See more details in the box to the right (or below on mobile devices)

3 Options for DMARC Record Actions:

  1. p=none: This tells mailbox providers to take no specific action on emails that fail authentication. They will most likely be delivered unless it is very obviously spam. A p=none DMARC policy leaves the decision up to mailbox providers. (Not recommended)
  2. p=quarantine: This policy informs mailbox providers to send emails that fail authentication to spam or junk folders. These messages may also be blocked. (Best option, in our humble opinion)
  3. p=reject: This is the strongest DMARC policy value. It ensures all malicious email is stopped dead in its tracks. If a message fails DMARC when set to “reject” will not be delivered at all. (Most secure but can come with some bounced emails which can make you worry if everything is setup right. This option is good but only if you are prepared to read the bounce emails and understand them as the bounces happen.)

Confused yet?  🙂

Well, we know it’s complicated and if you’re a client of Modern Web Studios, then you’re in luck! Give us a call and we can talk you through this whole thing. If you’re NOT a Modern Web Studios client, then why not!? Give us a call anyway and we can still help you make this decision and help you understand what is best for your situation, because not all businesses need the same settings!

(888) 987-7771
or email us at [email protected]