How to add a DMARC record anf avoid floods of emails

How to add a DMARC record

I will tell you 1. how to add a DMARC record and 2. tell you how to avoid the emails which flood you after you have added the record. 

First, what's it all about?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance.

It's an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorised use, that is, email spoofing. The core idea of DMARC is to link the sender's domain name with the email, allowing the receiver to authenticate the source of the email. DMARC expands on two existing mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), for validating email authenticity.

In a DMARC policy, two important fields are ruf and rua. These fields specify email addresses where reports about messages are sent:

ruf (Reporting URI for Forensic Reports): This field is used to specify an email address to receive forensic reports. Forensic reports are detailed reports of individual failed messages. They are intended for diagnostic use by the sender and usually contain information about those messages which failed DMARC evaluation. Many email service providers do not support sending forensic reports due to privacy concerns.

rua (Reporting URI of Aggregate Reports): This field specifies an email address where aggregate reports are sent. Unlike forensic reports, aggregate reports are summaries of the DMARC passing or failing activity seen by receivers. These reports are sent daily (!!) and provide an overview of all compliant and non-compliant messages reported by receivers implementing DMARC. They're said to be useful for domain owners to identify authentication issues or unauthorised email sending.

After you implement DMARC, you get flooded with DMARC emails. This is due to the aggregate (rua) and forensic (ruf) reports being sent to you. These reports are meant to provide insights into email authentication attempts and failures, but can drive you totally nuts when you wake up to what seems like 60 million of the pesky things.

Here are the ways to reduce the number of these never-ending reports.

Omit the ruf Field: (Heads up! The easiest way and the 2nd most effective.)
The ruf field is for forensic reports, which are detailed and sent for each individual email that fails DMARC checks. These reports are numerous and contain lots of detailed information, most (or maybe all) of which you couldn't care less about. Omitting the ruf field will reduce the number of emails significantly, as you'll only receive the aggregate reports. (Yay!)


Set up a special email address and enter it in the rua field (and don't add a ruf field). This is the best way, as you simply don't have to check that email. However, you'll have to set one up. It's far easier to set one up at that domain. You could call it dmarc@(

Carefully Configure the rua Field:
The rua field is for aggregate reports, which are summaries of email authentication attempts over a period, typically daily. While thankfully less detailed and frequent than forensic reports, these can still add up. If you get too many, you could set up a dedicated email address to collect these reports.

Use Third-Party DMARC Reporting Services:
Yes, you could, but why pay?

Adjust the DMARC Policy:
If you're currently in a monitoring mode (p=none), you will receive reports about all emails, both passing and failing DMARC. If you use restrictive policy (p=quarantine or p=reject), you will receive fewer reports, particularly related to legitimate emails, as spammers often give up when they see that their attempts are not successful.
If you want to take it further, you can set the policy to p=quarantine (or even p=reject).
If you set your DMARC policy to p=reject, there is a potential risk of rejecting legitimate emails, particularly if your SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) configurations are not properly set up and aligned with your DMARC policy. So think on this:
Accurate SPF and DKIM Configuration: Before setting DMARC to p=quarantine or p-reject, make sure your SPF and DKIM records are correctly configured. These records should accurately reflect the mail servers and domains authorised to send emails on your behalf. Be aware of all the sources that send emails on behalf of your domain. This includes not just your primary mail server, but also any third-party services like marketing tools, CRM systems, or automated notification services you're using. Each of these sources needs to be accounted for in your SPF and DKIM settings. If these records are incorrect, legitimate emails might fail SPF and/or DKIM checks and consequently be rejected due to the DMARC policy you have set.

It's generally recommended to implement DMARC with a policy of p=none. This allows you to monitor reports and understand how your emails are being processed without affecting email delivery. Once you're confident that legitimate emails are passing SPF, DKIM, and DMARC checks consistently, you can move to a more restrictive policy like p=quarantine and eventually p=reject.
Even after moving to p=reject, it's important to keep monitoring DMARC reports in case any issues arise.
Potential for False Positives: As I said, there's always a slight risk of false positives (legitimate emails being rejected) with p=reject.

Bottom line.
By customising your DMARC setup, especially by doing away with the ruf field (read on for how to do this), you can reduce the volume of emails received. Better still, set up a special email address at your domain and only check it when you're nicely caffeinated.


The first step is to generate a record.

Go here to generate the record. 

Leave the policy as None (unless you have reason to do otherwise such as quarantine or reject - see above).

Aggregate email: Enter an email address associated with your domain. (It doesn't have to be, but If you are using an email address from a different domain in the rua field, you might need to set up an additional DNS record on the domain of the email address. This is known as an External Domain Verification (EDV) record, and it's required to authorise the external domain to receive DMARC reports on behalf of your domain. This record is usually a TXT record with a specific value provided by the DMARC report receiver.)

The purpose of the aggregate field is simply to specify an email at which you will receive DMARC reports. It has zero to do with domain authentication.

Forensic email: Leave the field blank to avoid receiving countless DMARC notification emails. If you do wish to receive them, enter the email at which you wish to receive all these emails. 

 Now go to your domain host.

Log in to your domain host, such as GoDaddy.

Go to Domains.

Find your domain and click on it.

Next to your domain name, you will see options such as DNS and Manage.

Click on DNS. This is how it looks in GoDaddy, but if you have a different host, the steps are still the same

 Click Add New record.

In the dropbox box, select TXT

 For Name, enter _dmarc  (Your domain host might have Hostname instead of Name.)

For Value, enter the record populated by the above link.

As an example, here is how it looks on one of my sites on GoDaddy.


Click Save.

It will tell you it could take up to 48 hours, but it's usually pretty much instant.

Go here to see if it worked.

By the way, if you get an error message such as invalid data, use a different browser.

2. Pesky emails.

Here's how to avoid those pesky emails.

Have you already added a DMARC and are receiving heaps of emails? Simply go here and generate a new field, making sure the the Forensic email field is blank

Make a special email address just for DMARC reports and enter it in the Aggregate email field. (That is the rua field.)

stop prevent avoid emails after DMARC record

Look at this record. The following record means you will get numerous emails.

v=DMARC1; p=none;;; sp=none; aspf=s; adkim=s;

Following, I have bolded the ruf= email address. This causes most of those emails.

v=DMARC1; p=none;;; sp=none; aspf=s; adkim=s;

You can edit your record and remove the ruf field - or simply use the generator to do it and then edit the record.

With the ruf field (you get numerous emails)

 v=DMARC1; p=none;;; sp=none; aspf=s;

Without the ruf field (you do not get as many emails)

 v=DMARC1; p=none;; sp=none; aspf=s;


The DNS records are public. Anyone can see your rua email (and ruf field if you have one).




Back to blog