Forum Discussion
help with txt and DMARC Record
need to add text record for vendor in our domain so that email can be sent also need to add DMARC for the same for reporting
5 Replies
- robertroot679Copper Contributor
Great Information.
- Andres-BohrenSteel Contributor
I've explained on one of my Blog Articles how to add DMARC Record to Azure DNS
https://blog.icewolf.ch/archive/2021/11/29/dmarc-advisor/
Basics of SPF, DKIM and DMARC (German)
https://blog.icewolf.ch/archive/2015/02/28/spf-dkim-dmarc/
Kind Regards
Andres - Chris_toffer0707Iron Contributor
DMARC is of type TXT.
SPF is also of type TXT.
Be aware that if a vendor sends mail on behalf of your domain, you most often need to both have setup SPF and DKIM properly for it to work as expected. - kyazaferrSteel Contributor
Adding a TXT Record for Vendor Email (e.g., SPF or DKIM)
A TXT record is often used to define SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) for email sending, which allows email services to verify if an email sent from your domain is legitimate.
To add a TXT record for the vendor’s email:
- Login to your DNS provider’s portal (this is typically your domain registrar or DNS management service).
- Navigate to the DNS settings for your domain.
- Add a new TXT record with the following details:
- Host/Name: @ or leave this blank (it depends on the DNS provider).
- Value/Content: You will get the exact value from your vendor, but here’s an example of what an SPF record might look like:v=spf1 include:vendor.com ~all
Adding a DMARC Record for Reporting
A DMARC (Domain-based Message Authentication, Reporting & Conformance) record helps to monitor and enforce email authentication for your domain. It tells email receivers how to handle non-authenticated emails (e.g., reject, quarantine, or none) and allows you to receive reports.
To add a DMARC record:
- Login to your DNS provider’s portal.
- Navigate to the DNS settings for your domain.
- Add a new TXT record with the following details:
- Host/Name: _dmarc
- v=DMARC1; p=none; rua=mailto:email address removed for privacy reasons; ruf=mailto:email address removed for privacy reasons; sp=none; adkim=s; aspf=s;
- v=DMARC1: This is the version of DMARC.
- p=none: This policy tells email receivers to not take any action (just report) on messages that fail DMARC checks. You can change this to quarantine or reject later if you want to enforce the policy.
- rua=mailto:email address removed for privacy reasons: This email address will receive aggregate reports about DMARC activity.
- ruf=mailto:email address removed for privacy reasons: This email address will receive forensic reports (detailed reports on failed messages).
- sp=none: This policy applies to subdomains, and you can adjust it based on your needs (same options as p).
- adkim=s: This means strict alignment for DKIM.
- aspf=s: This means strict alignment for SPF
After adding the DMARC record, DNS propagation may take some time as well.
Summary of Steps:
- Add a TXT record to authorize the vendor's email service (SPF or DKIM).
- Add a DMARC TXT record to monitor and report on email authentication results.
Example DNS Records:
- SPF TXT Record for Vendor
- v=spf1 include:vendor.com ~all
- v=DMARC1; p=none; rua=mailto:email address removed for privacy reasons; ruf=mailto:email address removed for privacy reasons; sp=none; adkim=s; aspf=s;
- Andres-BohrenSteel Contributor
You should not use SPF "~all" (SoftFail).
Please use "-all" (HardFail) if you use SPF.