This topic describes how to configure a DMARC record.
1. DMARC
DMARC is the abbreviation of (Domain-based Message Authentication, Reporting & Conformance). You can set up DMARC records to prevent others from forging your company's domain and obtain information about other people's attempts to forge your company's domain.
When the recipient (whose MTA must support the DMARC protocol) receives an email sent by your company's domain, it will perform DMARC verification. If the verification fails, a report will be sent to the email set in the DMARC record value.
2. Parameter Description
TXT="v=DMARC1;p=quarantine;pct=0;ri=3600;rua=mailto:abc@example.net;ruf=mailto:abc@example.net"P: It indicates the behavior that the domain owner wants the recipient to take when a forged email occurs. The behavior is none/ quarantine/ reject.
p=none: Permit all mail from your domain, even if the mail is not verified by DMARC.
p=quarantine: Quarantines a portion of a mail, usually in the trash. With the pct parameter (100 by default), set the percentage of quarantined mails that fail DMARC verification.
p=reject: Perform a Strict Reject to reject all unauthenticated mails.
rua: It used to receive summary reports from receiving service providers.
ruf: It used to receive the details of the receiving service provider rejection.
SP: It is the subdomain policy (similar to P, effective for subdomains), so users can also take effect if the DMARC policy with SP is configured for the main domain.
ri: It refers to the required interval between summary reports (plain text 32-bit unsigned integer; optional; default is 86400). Indicates that the receiver is required to generate summary reports no more than the required number of seconds.
ADKIM: It refers to the DKIM alignment mode, not specified or r is loose, s is strict, loose allows subdomains, strict requires strict alignment.
ASF: It refers to SPF alignment mode, not specified or r is loose, s is strict, loose allows subdomains, strict requires strict alignment.
v: The version (plain text; required) value is "DMARC1", which must be used as the first label.
fo: Failure reporting options (plain text; optional; default is 0), colon-separated list, if "ruf" is not specified, then the content of the tag will be ignored,suggest pairing "p=none" for observation testing, setting it to 1 will cause reject to not take effect.
3. How to Setup
1. Before setting up DMARC records, you must ensure that the following SPF record has been set up: "v=spf1 include:spf1.dm.aliyun.com -all", or DKIM protocol has been configured according to the DKIM value given by the Console.
2. After the SPF record is set, the following DMARC record can be set:
Mail server | Types of DNS records | Record value |
_dmarc | TXT | v=DMARC1; p=quarantine; rua=mailto:dmarc_report@example.net |
Notice
For the records value, "dmarc_report@example.net" means that the Direct Mail collects the DMARC report email by default. if you need to view a specific report, you need to enter an email address of the same organization (which can be a subdomain email address) that sends and receives emails normally.
If your domain is not purchased from Alibaba Cloud, we recommend that you consult the service provider where the domain is bought from.
Adding Method:
The following uses Alibaba Cloud DNS as an example:
1. Log on to the Alibaba Cloud DNS console and select the domain that you want to resolve. Click Resolution Settings to go to the Resolution Settings page. 
2. In the resolution setting interface, click "Add Record", fill in and click "Confirm".
Example:
Record type: TXT
Host: @
The following figure shows an example of adding a DMARC record: 
4. How to Query DMARC Records
Query DMARC records with the dig command /nslookup command
Linux: % dig _dmarc.domain(queried domain) txt
Windows: nslookup -qt=TXT _dmarc.domain(queried domain)