Ever wondered how to add a custom DMARC record to secure emails and protect your domain from phishing and spoofing? In this guide, you’ll find a friendly, step-by-step process that not only explains how to configure DMARC settings but also demonstrates how to boost email deliverability, thereby ensuring your domain remains safe and trusted.
This topic covers processes relating to a cPanel service.
You will need to be logged into the cPanel account to follow the steps.
If you’re not sure how to access your cPanel service — please, follow this guide before continuing: How do I Login to cPanel?
If your domain’s DNS records are managed here with us, you can follow the steps in this guide to add a DMARC to your DNS zone.
If you just need a basic DMARC record for your domain, you can use this guide: ‘How to add a DMARC Record to my Domain‘
However, if you need to craft an advanced custom DMARC record you can use the information about DMARC records at the end of this guide, along with the Zone Editor tool in cPanel.
Login to cPanel
1. First, login to cPanel
2. Then, Navigate to the ‘Zone Editor’ tool located under the “Domains” sub-menu
3. After that, locate the domain you want from the list and click the ‘Manage’
button
4. Then, click the small down arrow on the ‘Add Record’ button.
Add a custom DMARC record
5. Then, choose ‘Add DMARC Record’ from the list.
6. After that, click the ‘Optional Parameters‘ drop-down to reveal the settings that correspond to the DMARC tags listed in the table below.
7. After that, select the tags that best suit your organisation’s requirements. Following your selection, the DMARC tool automatically generates your record.
8. Finally, click the ‘Save Record‘ button to finalise your DMARC record.
Additional information
Below, we detail what each part of a DMARC record does.
What is DMARC?
Domain-based Message Authentication, Reporting, and Conformance, or DMARC, acts like a set of instructions given to other mail servers about how to handle your emails.
It uses SPF and/or DKIM to verify email. If an email fails SPF/DKIM checks, DMARC tells the recipient what to do with it – for example, reject it or quarantine it in the spam or junk folder.
DMARC also asks for reports from email receivers about how they’re handling your emails, helping you know if someone is trying to impersonate your domain.
Anatomy of a DMARC record
A DMARC record consists of several parts known as ‘tags.’ Additionally, you can craft your DMARC record by selecting the tags that best suit your or your organisation’s needs.
The table below shows the name and purpose of each tag.
| TAG | PURPOSE | EXAMPLE |
| v | This tag is required. Protocol version. Must be DMARC1. | v=DMARC1 |
| p | This tag is required. DMARC Policy. Instructs the receiving mail server on what to do with messages that don’t pass authentication. nonequarantinereject | p=reject |
| adkim | This tag is optional. DKIM Mode. Sets the alignment policy for DKIM, which defines how strictly message information must match DKIM signatures. s – Strict alignment. The sender domain name must exactly match the corresponding d=domainname in the DKIM mail headers.r – Relaxed alignment (default). Allows partial matches. Any valid subdomain of d=domain in the DKIM mail headers is accepted. | adkim=s |
| aspf | This tag is optional. SPF Mode. Sets the alignment policy for SPF, which specifies how strictly message information must match SPF signatures. s – Strict alignment. The message From: header must exactly match the domain name in the SMTP MAIL FROM commandr – Relaxed alignment (default). Allows partial matches. Any valid subdomain of domain name is accepted. | aspf=s |
| pct | This tag is optional. Percentage. Specifies the percentage of unauthenticated messages that are subject to the DMARC policy. | pct=20 |
| rua | This tag is optional. Aggreate Mail Reports. Email address to receive reports about DMARC activity for your domain. | rua=mailto:aggrep@example.com |
| ruf | This tag is optional. (not supported by Google) Failure Reports. Used to send failure reports. Failure reports are also called forensic reports. | ruf=mailto:authfail@example.com |
| sp | This tag is optional. Subdomain Policy. Sets the policy for messages from subdomains of your primary domain. Use this option if you want to use a different DMARC policy for your subdomains. | sp=reject |