How to craft a custom DMARC record
All about DMARC records
Lachlan
Last Update 6 months ago
This topic covers processes relating to a cPanel service.
You will need to be logged into the cPanel account to follow the steps.
If you're not sure how to access your cPanel service — please, follow this guide before continuing: How do I Login to cPanel?
If your domain's DNS records are managed here with us, you can follow the steps in this guide to add a DMARC to your DNS zone.
If you just need a basic DMARC record for your domain, you can use this guide: 'How to add a DMARC Record to my Domain'
However, if you need to craft an advanced custom DMARC record you can use the information about DMARC records at the end of this guide, along with the Zone Editor tool in cPanel.
1. First, login to cPanel
2. Navigate to the ‘Zone Editor’ tool located under the "Domains" sub-menu
3. Next, locate the domain you want from the list and click the ‘Manage’
button
4. Next, click the small down arrow on the ‘Add Record’ button.
5. Then, choose ‘Add DMARC Record’ from the list.
6. Click the 'Optional Parameters' drop-down to reveal settings that correlate to the DMARC tags listed in the table below.
7. Choose the tags that are best suited to your organisation's requirements and the DMARC tool will generate the record automatically.
8. Click the 'Save Record' button when you're done, to apply the record.
Please see below for more details on what each part of a DMARC record is used for.
What is DMARC?
Domain-based Message Authentication, Reporting, and Conformance, or DMARC, acts like a set of instructions given to other mail servers about how to handle your emails.
It uses SPF and/or DKIM to verify email. If an email fails SPF/DKIM checks, DMARC tells the recipient what to do with it – for example, reject it or quarantine it in the spam or junk folder.
DMARC also asks for reports from email receivers about how they're handling your emails, helping you know if someone is trying to impersonate your domain.
Anatomy of a DMARC record
A DMARC record consists of several parts known as ‘tags’. You can craft a DMARC record using different tags that suit your or your organisation's needs.
The table below shows the name and purpose of each tag.
| TAG | PURPOSE | EXAMPLE |
| v | This tag is required. Protocol version. Must be DMARC1. | v=DMARC1 |
| p | This tag is required. DMARC Policy. Instructs the receiving mail server on what to do with messages that don’t pass authentication.
| p=reject |
| adkim | This tag is optional. DKIM Mode. Sets the alignment policy for DKIM, which defines how strictly message information must match DKIM signatures.
| adkim=s |
| aspf | This tag is optional. SPF Mode. Sets the alignment policy for SPF, which specifies how strictly message information must match SPF signatures.
| aspf=s |
| pct | This tag is optional. Percentage. Specifies the percentage of unauthenticated messages that are subject to the DMARC policy. | pct=20 |
| rua | This tag is optional. Aggreate Mail Reports. Email address to receive reports about DMARC activity for your domain. | rua=mailto:aggrep@example.com |
| ruf | This tag is optional. (not supported by Google) Failure Reports. Used to send failure reports. Failure reports are also called forensic reports. | ruf=mailto:authfail@example.com |
| sp | This tag is optional. Subdomain Policy. Sets the policy for messages from subdomains of your primary domain. Use this option if you want to use a different DMARC policy for your subdomains. | sp=reject |