Andy Bedinger

About
Contact
Posts

Having a DMARC Record is Essential for Mail Security

Missing DMARC record fails validation check for domain

3/26/2025

I recently set up a custom domain with iCloud Mail. Apple has helpful documentation on how to create the needed DNS records. There’s a TXT record for domain validation. There are a couple of MX records to point your domain at the iCloud mail servers, of course. Then they have you add an SPF record and a DKIM record, and you’re done: you can now send and receive email through your custom domain.

But you’re not done. There’s no mention of a DMARC record. The SPF record lists mail servers authorized to send mail for your domain, and says to reject all others. The DKIM record points to Apple’s public key so that mail providers can verify messages from your custom domain were signed by Apple’s private key. But it’s the DMARC record that instructs mail providers what to do with messages that fail either the SPF or DKIM checks. Without a DMARC record, attackers can send phishing emails that appear to come from your domain—leading to fraud, brand damage, and security risks.

Create a DNS TXT record named _dmarc.yourdomain.tld and set its value to "v=DMARC1; p=quarantine;” to tell mail providers to flag messages that fail SPF and DKIM checks as spam. Or, set its value to “v=DMARC1; p=reject;” to tell mail providers to reject spoofed messages altogether. Read up on DMARC settings and choose the options that are best for you.

DMARC can flunk a message even when both SPF and DKIM checks pass. That’s because it also checks for domain alignment. For SPF to pass DMARC alignment, the domain in the From address must match the domain in the Return-Path or Envelope-from address. For DKIM to pass DMARC alignment, the domain specified in the DKIM signature must match the domain in the From address.

I understand Apple not providing copy/paste values for the DMARC record. That’s really a personal decision, and there are providers that specialize in DMARC and offer free services for monitoring DMARC reports—that’s not what Apple does. Nonetheless, there should be some mention of DMARC in the documentation.

The lesson: Don’t blindly trust prescriptive guidance to be complete. Know the technology you are working with, or get the help of a professional. Have you checked if your domain has a DMARC record? If not, now’s the time! Mitigate mail spoofing attacks for your domains using proper SPF, DKIM, and DMARC settings.