The short answer is that DMARC uses a TXT (text) record. This is a type of DNS record that lets you store text-based information for sources outside your domain to read.
While there are many different types of DNS records like A, CNAME, and MX, the TXT record is uniquely suited for services like DMARC, SPF, and DKIM. Its purpose is to hold human-readable or machine-readable text, which is perfect for publishing a policy that mail servers can understand and enforce.
This flexibility is key. It allows domain owners to define a clear, structured policy using a standard and widely supported DNS record type.
How is a DMARC record structured?
A DMARC record isn't just any TXT record. It has a specific format and location within your DNS to work correctly. It must be published at a specific hostname: _dmarc.yourdomain.com. The underscore is required and signals to receiving mail servers where to look for your domain's DMARC policy.
The value of this TXT record is a string of text made up of tags separated by semicolons. Each tag defines a part of your DMARC policy. Here are the most important ones:
- v=DMARC1: This is the version tag. It must be the first tag in the record and identifies the record as a DMARC policy. As Spambrella notes, all DMARC records must start with this tag.
- p= This is the policy tag. It tells receiving servers what to do with messages that fail DMARC checks. The options are none (monitor only), quarantine (send to spam), or reject (block the email).
- rua= This optional tag specifies where aggregate DMARC reports should be sent. These reports are crucial for monitoring your email traffic and identifying potential authentication issues or abuse.
So, a basic DMARC record might look like this in your DNS settings:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
The role of TXT records in email authentication
DMARC doesn't operate in a vacuum. It works alongside two other email authentication standards, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), both of which also use TXT records. This shared foundation is what makes the system cohesive.
By using TXT records for all three protocols, you can manage your entire email authentication setup directly within your domain's DNS. This centralized approach simplifies administration and ensures that receiving mail servers have a single, authoritative source to check when verifying the authenticity of your emails. The DMARC record, specifically, acts as the capstone, telling servers how to interpret the results of SPF and DKIM checks and what to do if they fail.
