Build Your Email Server on Ubuntu Part 3: Create DMARC Record

In part 2 of our build your own email server on Ubuntu tutorial series, we implemented SPF and DKIM records to improve email deliverability. In this part, we’re going to look at another email authentication technology: DMARC. We will discuss how dmarc can benefit you, how to create dmarc record and how to interpret dmarc report.

What is DMARC?

DMARC stands for Domain-based message authentication, reporting and conformance. DMARC is not a product. It’s a freely available technical specification and widely supported across the Internet. Anyone owning a domain can take advantage of DMARC.

A DMARC policy allows a domain owner to indicate that emails from his/her domain is protected by SPF and DKIM. You can use DMARC to discover all legitimate sources of email. DMARC builds upon two existing technologies: SPF and DKIM.

DMARC Benefits

Why is DMARC good for you? The benefits of deploying DMARC are:

  • Fraud detection: It is a very powerful tool to combat with email phishing and thus protect your brand.
  • Simplified email delivery: Sending DMARC-compliant email allows receiving email servers to simplify the filtering rules.
  • Your email domain reputation will grow after you create DMARC record correctly.
  • Gives senders visibility into how receiving email servers process their email. You can get a report of how many legitimate emails are sent from your domain, how many emails can’t be authenticated including both legitimate and fraudulent ones.

This is a pretty big deal to any organization that relies on email for its day-to-day business. If you are doing email marketing, then DMARC is a must have tool to make email easy to deliver and reach customers. Pretty much every major consumer-facing mailbox provider like Gmail, yahoo and Microsoft ask to be sent DMARC-compliant email to make their job of filtering emails easier.

How to Create DMARC Record

DMARC policies are published as a TXT record in DNS.

Step 1: create SPF and DKIM records

To create DMARC record, you must make sure your already have set up SPF and DKIM records.

Step 2: Identifier alignment

Send a test email from your domain, then check the raw email. You want to make sure the domains in Return Path, From: header and d=domain in the DKIM signature are the same. If the 3 domains are identical, then they are aligned.

dmarc identifier alignment

Step 3: Setting up the DMARC record

Go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following:

v=DMARC1; p=none; rua=mailto:[email protected]


  • v=MARC1 means the protocol version is DMARC1.
  • p=none means we choose none as the policy for our domain.
  • rua stands for reporting URI for aggregate report. The email address is used to tell the world where report should be sent. Replace [email protected] with your real email address that are used to receive aggregate DMARC report.

Policy none will request data reports from receivers without impacting existing flows. You should analyze the data for some time and then modify your email stream as appropriate. You can change the policy from none to quarantine or reject once you have the experience. Quarantine means the email will be labeled as spam.

This is all you have to do to implement DMARC for your domain.


A good service for DMARC test is Go to the website, you will see a unique email address. Send an email from your domain to this address and then check your score.

DMARC test

This website check all factors that affect email deliverability, not just DMARC.

Another way to test DMARC is send an email from your domain to your Gmail account. If DMARC is configured correctly then you will see dmarc=pass in the authentication-results header.

How to Interpret DMARC Report

There are two kinds of DMARC Reports

  • daily XML-based aggregate report
  • Real-time MARF-based forensic report

Normally you only want to receive the aggregate report. The data that DMARC produces is invaluable for understanding what is going on for any given email domain.

However, raw DMARC data is not easy to read and understand. There are tools such as Dmarcian and ReturnPath that process these reports, presents you a much more readable report. Dmarcian offers a free basic account.

The nice part about Dmarcian is that you can tell receiving email servers to send XML reports directly to dmarcian for processing. So instead of entering your email address in the DMARC record, you enter an email address of that is unique to your Dmarcian account.

v=DMARC1; p=none; rua=mailto:[email protected];

That’s it!

In part 4, we will see how to install Dovecot and enable TLS encryption. and as always, if you found this post useful,  subscribe to our free newsletter or follow us on Google+Twitter or like our Facebook page.

Rate this tutorial
[Total: 10 Average: 3.7]

One Response to “Build Your Email Server on Ubuntu Part 3: Create DMARC Record

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • * Some of my previous answers are lost after I uninstalled Disqus comment system from my website. I try to recover those answers whenever I can.