Enhance security for forged spam (DMARC)
Turn on DMARC
Turn on Domain-based Message Authentication, Reporting, and Conformance (DMARC) by adding a DMARC policy to your domain's DNS records. The policy is in the form of a DNS TXT record, and defines how your domain handles suspicious emails.
A DMARC policy supports three ways to handle suspicious emails:
- Take no action on the message and log it in a daily report.
- Mark the message as spam. Gmail puts these messages in the recipient's spam folder.
- Tell the receiving server to reject the message.
Example DMARC policies
These are some example policies and how they appear in the DNS TXT record. The values in these examples are defined in DMARC TXT record values.
- Take no action on messages that appear to be from your domain but fail the DMARC check. Send a daily report to an email address set up for reports:
v=DMARC1; p=none; rua=mailto:email@example.com
- Quarantine 5% of the messages that appear to be from your domain but fail the DMARC check. Send a daily report to email address set up for reports:
v=DMARC1; p=quarantine; pct=5; firstname.lastname@example.org
- Reject 100% of messages that appear to be from your domain but don't pass DMARC checks. Send the daily report to two email addresses:
v=DMARC1; p=reject; rua=mailto:email@example.com, firstname.lastname@example.org
Add a TXT record to turn on DMARC
To turn on DMARC, update your domain settings with one DNS TXT records.
About TXT records
A TXT record is a DNS record that contains text information used by sources outside of your domain. Add TXT records to your domain settings at your domain host, not in your Google Admin console.
Learn more about working with TXT records in Tips for updating DNS TXT records.
Add a DMARC TXT record
Follow these steps to add a DMARC TXT record for your domain:
- Replace the example domain in these steps with your domain.
- Replace the example values with values for your own DMARC policy.
- Sign in to the management console for your domain provider.
- Locate the page where you update DNS records.
Subdomains: If your domain host doesn't support updating subdomain DNS records, add the record to the parent domain. Learn how to update DNS records for a subdomain.
Add a DNS record at _dmarc
TXT record name: In the first field, under DNS Host name, enter:
TXT record value: In the second field, enter the values that define your DMARC policy, for example:
v=DMARC1; rua=mailto:email@example.com; p=quarantine; pct=90; sp=none
- Save your changes.
Note: Gmail does not support the DMARC ruf tag, used to send failure (forensic) reports.
|Tag Name||Required||Description and values|
|Required||Protocol version. Must be DMARC1.|
Defines how your domain handles suspicious messages:
Sets the percent of suspicious messages that the DMARC policy applies to. Suspicious messages are messages that fail the DMARC check.
Must be a whole number between 1 and 100. The default is 100.
Email address to receive reports about DMARC activity for your domain. Use your own email address or create a new email address to receive reports. To send the report to more than one email address, separate emails with a comma.
Sets the policy for messages from subdomains of your main domain. Use this option if you want to use a different DMARC policy for your subdomains.
Sets the Alignment mode for DKIM, which defines how exactly message information must match DKIM signatures.
Sets the Alignment mode for SPF (ASPF), which defines how exactly message information must match SPF signatures.
These articles have detailed information for creating a DMARC record:
- Create a TXT record using correct tag names and values
- How to create a TXT record for popular domain hosts
- Some limitations of popular domain hosts
- All available tags in the DMARC Tag Registry
Deploy DMARC slowly
Use the policy (p) and percent (pct) options together to gradually and slowly deploy DMARC in Gmail.
Use the policy (p) option. Set and change the policy option using the p tag value in the TXT record. Start with a quarantine policy so you can inspect suspicious messages. Then gradually modify the policy based on what you learn from quarantined messages and daily reports.
- p=none: Monitor email traffic and look for issues in the daily reports, but let all message through. Watch for spoofed messages and messages not signed with DKIM or SPF.
- p=quarantine: When you're familiar with email patterns you see in the daily reports, change the policy to quarantine. Continue to review the daily reports and view the messages that are being set aside (quarantined) as spam.
- p=reject: When you're sure all messages from your domain are signed, change the policy reject to start filtering spam messages. Continue to review daily reports to check that you're filtering out spam and sending valid email to recipients.
Use the percent (pct) option. The percent option specifies what percentage of suspicious messages have the DMARC policy applied. Suspicious messages are messages that fail the DMARC check. The default is 100% (all suspicious messages). Set the percent option to fewer messages at first, increasing the percentage every few days as you refine your DMARC policy. For example, set the percent option to 20 to filter 20% of rejected or quarantined messages to start with. The following week, change the value from 20 to 50 to filter 50% of the messages.
Example deployment: Here is an example of how to use the p and pct options to gradually deploy a DMARC policy. Update your DMARC policy over time with these values:
- p=none pct=100
- p=quarantine pct=1
- p=quarantine pct=5
- p=quarantine pct=10
- p=quarantine pct=25
- p=quarantine pct=50
- p=quarantine pct=100
- p=reject pct=1
- p=reject pct=5
- p=reject pct=10
- p=reject pct=25
- p=reject pct=50
- p=reject pct=100
Daily DMARC reports
DMARC daily reports are in XML format and have information about email flow. Use the reports to:
- Verify outbound email sources are authenticated
- Verify the email servers sending messages from your domain are legitimate
- Respond if a new server is online, or an existing server has configuration issues
Below is part of a report that shows results for messages sent from a two IP addresses. One message was sent directly and the other message was forwarded. Both messages passed DMARC checks.