Office 365 - Publishing a Custom DMARC Record for Your Email Domain in DNS
Audience: Domain Administrators and Departmental/Organizational IT Support Staff
This article provides instructions for publishing custom DMARC records in DNS for UW-Madison email domains. Information about the protection of UW-Madison email with DMARC can be found here: Email Authenticity
Note: This article assumes fundamental knowledge of DNS records and DMARC. If you would like to learn more about DMARC and DNS records, please see the following resources:
Preparing to publish your custom DMARC record
Before you publish a custom DMARC record for your email domain, you'll want to make sure your domain's SPF record in DNS includes all of the senders you approve to send email as/from your domain and that it ends with "~all" or "-all".
Use the DMARC Info tool in the Wisc Account Admin Site to view IP addresses sending as/from your domain over the past several days and stage potential changes to your domain's SPF record.
- Reach out to any and all third-party email vendors your organization contracts with and request that they work with you to set up custom domain authentication via SPF and DKIM for your subdomain (e.g. mydomain.wisc.edu). Steps for how to do this with some of campus's commonly used third-party email vendors are below:
If your third-party email vendor/service is not listed above, you may be able to find them listed with links to their DMARC-related documentation here: https://dmarc.io/source/
Publishing your custom DMARC record
Once your domain's SPF record in DNS has been updated to include only senders you approve to send as/from your domain, and you've taken steps to set up custom domain authentication via DKIM for any/all third-party email vendors that send as/from your domain, you may take the next steps to publish a custom DMARC record for your email domain in DNS however you normally publish DNS records or request their publication.
DMARC record publication location
Publish a TXT record in DNS at the following location, replacing yourdomain.wisc.edu with the domain for which you'd like the record published:
Different options for publishing your custom DMARC record
- Effective Quarantine Record
- Reject Record
Use the following value when publishing the DMARC record so that it instructs recipient mail systems to quarantine messages that fail your DMARC policy and provide failure reports to UW-Madion's mail system administrators:
"v=DMARC1; p=quarantine; pct=100; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; fo=1; sp=none;"
Note: to change the percentage of quarantined failed messages, change the value in the "pct=" tag in the record to any value between 0 and 100.
Use the following value when publishing your DMARC record so that it instructs recipient mail systems to reject messages that fail your DMARC policy and provide failure reports to UW-Madison's mail system administrators:
"v=DMARC1; p=reject; pct=100; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; fo=1; sp=none;"
Note: to change the percentage of rejected failed messages, change the value in the "pct=" tag in the record to any value between 0 and 100.