How to setup a DMARC record

Having had to set up most of the DMARC records in my day job. I've got some first-hand experience on just how stressful this can be. This kind of thing can be very intimidating, especially if you've never done it before.

This guide aims to be as simple as possible and will explain a few scenarios, such as how to handle setting up your DMARC when you're using Google Workspace (Gmail for business) and things like adding an SPF and DKIM records.

The intended audience for this guide are developers and business owners who might not have any experience in this area.

What is a DMARC record and why do I need one?

Domain-based Message Authentication, Reporting and Conformance (DMARC).

Still doesn't make much sense does it? Let's break it down...

DMARC is like a special rulebook for emails. It helps email senders (Imagine your business sending emails to your clients or suppliers) protect their messages and tells email receivers what to do if they find a suspicious email.

A suspicious email might be in the form of people trying to impersonate your business (spoofing) and then trying to get people to click on dodgy links in the emails they send.

With DMARC you can specify what you want to happen when these types of rogue emails end up in your contacts mailbox. You've got 3 options:

  1. Do nothing - and let the other person's mail provider decide what to do with the email.
  2. Quarantine - Send it to spam or let the mail provider deal with it.
  3. Reject - Don't let the email come through and bin it.

DMARC also lets email receivers tell the sender if their messages passed or failed the protection tests. This helps the sender (you) know if everything's working fine or if they need to fix something. This part is optional and you can safely skip this if you just want to get something in place.

So why do you need one?

Well first of all it's good practice and helps cut down on spam and scams, but secondly and probably the main reason you're here is that you heard that Google and Yahoo now require a DMARC record otherwise your emails might end up in spam. That's it basically!

How do I add my DMARC record / policy?

Before you add your DMARC, you need to have 2 other records in place first. These are SPF and DKIM records. I'm not going to go into detail as to what these records are for because I don't want to bog you down with any uneccessary details.

Where can I get my SPF and DKIM records from?

So this depends on who manages your emails. There are loads of providers so it would be too much for me to go over all of them, so I'm going to use Google Workspace - aka Gmail for business as my main example.

If you're not using Gmail, just google: "[Email provider] SPF record" and "[Email provider] DKIM record" and no doubt they'll have some instructions on how to get them.

So a SPF and DKIM record are types of TXT (text) records. When you go to add them your email provider will tell you to add them as a TXT record.

An SPF record will look something like this:

v=spf1 include:_spf.google.com ~all

and a DKIM record will look a little like the below, but probably a lot longer:

v=DKIM1; p=76E629F05F70 9EF665853333 EEC3F5ADE69A 2362BECE4065 8267AB2FC3CB 6CBE

Where do I add my SPF and DKIM records?

You need to go to your domain provider. Your domain is your website E.g. dansdiy.com. This might be GoDaddy, Fasthosts 123-Reg, whoever you use. You'll find the section you need under DNS settings or similar.

How do I add an SPF record?

Let's start with the SPF record. You want to add a new TXT record, so go and do that now. You've got two things you need to fill in, which is the host and the value. The "host" can usually be left empty, or if it complains about needing a value, use the "@" symbol as the value. The next field is the "value" field. This is where you put in the text that your email provider has given you. Check out the screenshot below, which is from fasthosts.co.uk. Once you've added in the details, save the record.

How do I add a DKIM record?

Now lets move onto the DKIM record, which is again another TXT record, so it will be very similar to the way we added the SPF record above.

This time you'll need to put something in the "host" field. Usually your email provider will give you something which looks like the following: mx._domainkey.dansdiy.com. You only want to paste in the mx._domainkey part. You don't want to add the whole line of text which also includes your domain name. Next the value will be a very long string of what looks like random characters. Paste that into the "value" field and then click save. See the screenshot below for more info.

Once you've added both these records, go back to your email provider and there will usually be a screen where you left off, which gives you the option to verify that the records have been added successfully. Please note, that normally it only takes about 5 minutes for these records to "show up" so to speak, but it could take a few hours. So don't be worried if it doesn't work straight away!

How to add your DMARC record

So hopefully both your SPF and DKIM records have been added and now verified by your email provider. It's now time to add your DMARC record / policy. This is very similar to the steps before - it's just another TXT record. So not anything that you haven't already done.

In the "host" field, you should enter: _dmarc as the value. Then in the "value" field you should add the following:

v=DMARC1; p=none;

Let's take a look at another screenshot to see what this looks like in practice:

This is the bare minimum that you need to add in order for Gmail and Yahoo to accept your emails. You probably won't need to verify this part works with your email provider, but there is a test you can do to see if Gmail thinks everything is ok.

How to check that Gmail will accept my emails

  1. First you need to have a gmail account or know someone who does.
  2. Then you need to send yourself or your friend an email from your domain.
  3. Log into Gmail and open the email. This needs to be done on a laptop or PC, not the mobile app.
  4. At the top right of the email there are 3 small stacked dots which indicate the options drop down menu. Click on that and choose the "show original" option.
  5. This will open up a new tab and you'll see a table with some values in it. You're looking at the bottom for the SPF, DKIM and DMARC rows. If they all say "PASS" You are good to go! Screenshots below.

How to setup multiple SPF records

So what if you have multiple services which want to send emails on your behalf? For example, say you use Google Workspace (Gmail for business) for your everyday operations and you also use HubSpot for your marketing and CRM needs? It doesn't have to be these two services, it could be any mix. So if you don't use the above, don't worry, its all the same.

HubSpot will nag you about setting up your SPF, DKIM and DMARC records so the emails that get sent and land in your customers inbox.

The thing here is that HubSpot doesn't know about your Gmail for business account and if you go ahead and add the records, you could end up stopping your Gmail account from working - not good!

Can I have multiple SPF records?

The main answer here is no. You can't have multiple SPF records for the same domain, but you can combine multiple records into one! So if you already have an SPF record in place, you just have to update it and paste in the new value onto the end of it.

Before you do that, you should know about the structure of an SPF record. We know from above that an SPF record looks something like this:

v=spf1 include:_spf.google.com ~all
  • The v=spf1 part only needs to appear once and should be at the beginning.
  • You can have upto 10 include:_spf.google.com parts.
  • For each include: part you should separate with a space.

So lets show an example of a combined Gmail and a HubSpot SPF record:

v=spf1 include:_spf.google.com include:123456.spf03.hubspotemail.net ~all

Don't copy this HubSpot record, it's a dummy one and won't work. You'll need to fetch your unique one from your HubSpot admin dashboard.

And here's an example with 4 services all combined. Remember, just leave a space between each include: part

v=spf1 include:_spf.google.com include:123456.spf03.hubspotemail.net include:third_service.com include:_forth-service.com ~all

Wrapping up

Nice and easy! Well maybe, I'm not sure this stuff will ever stop being intimidating to me. But the only way to learn is to try and sometimes break things. If that doesn't sound like fun to you, it might be best to outsource this type of thing to someone or company that knows.

I hope you found this tutorial helpful and would appreciate you share it with people you know in the same situation.

Thanks!

More Posts