Creating DMARC Record to Protect Your Domain Name From Email Spoofing

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a protocol that is designed to give email domain owners the ability to protect their domain from unauthorized use, such as email spoofing.

Here are the steps to create a DMARC record on Ubuntu:

  • Determine your DMARC policy: Decide what you want to happen to messages that do not pass DMARC checks. The DMARC policy can be set to “none”, “quarantine”, or “reject”. The “none” policy will simply monitor your email traffic, while “quarantine” and “reject” policies will mark or reject messages that fail DMARC checks.
  • Create a DMARC record: Create a DNS TXT record in your domain’s DNS zone file. The TXT record should be named “_dmarc” and should contain the DMARC policy and some other configuration settings. Here is an example DMARC record: IN TXT "v=DMARC1;p=reject;;;fo=1;adkim=s;aspf=s;sp=reject;"

In this example, the “v” field specifies the DMARC protocol version, the “p” field specifies the DMARC policy as “reject”, the “rua” field specifies the email address where DMARC reports should be sent, and the “ruf” field specifies the email address where forensic DMARC reports should be sent. The “fo” field specifies the type of forensic DMARC reports that should be sent, and the “adkim” and “aspf” fields specify how email authentication should be handled. The “sp” field is used to set the policy for subdomains.

  • Publish the DMARC record: Save the DMARC record to your domain’s DNS zone file and publish it to the DNS servers. You can use a DNS management tool to create and publish the DMARC record.
  • Monitor DMARC reports: Once your DMARC record is published, you can start monitoring DMARC reports to detect any unauthorized use of your domain. The reports will be sent to the email address specified in the “rua” field of the DMARC record.

How to Create DMARC Record

DMARC policies are published as a TXT record in DNS.

Step 1: create SPF and DKIM records

Before Creating DMARC record, you must have SPF & DKIM record published.

Step 3: Setting up the DMARC record

Go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following:


(This above line is the minimum requirement for DMARC record.)

You can check your DMARC record from Linux terminal with the following command:

dig txt +short

There’s another command-line tool (opendmarc-check) that you can use to check DMARC record. It’s provided by the opendmarc package.

sudo apt install opendmarc

opendmarc-check queries the DNS for a DMARC record for the named domain and then translates the content found to a human-readable form.

If you have a domain name that’s not going to send emails, you should use p=reject policy.

v=DMARC1; p=reject; pct=100;


A good service for DMARC test is EasyDmarc

Another way to test DMARC is send an email from your domain to your Gmail account. If DMARC is configured correctly then you will see dmarc=pass in the authentication-results header. (To view email headers in Gmail, click the Show Original button, which can be found in the drop-down menu on the right side of an opened email.)












Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Liked this post? Share with others!

Do you want to boost your business today?

This is your chance to invite visitors to contact you. Tell them you’ll be happy to answer all their questions as soon as possible.