DMARC TXT Records: What We Discovered

October 13, 2016

As part of the GCA DMARC initiative, we decided to run a scan against DNS to determine how many organizations are actually using DMARC and at what level.  We started with just the top one million domains listed by Alexa, to make sure the scanner was working as intended.  Based on the results, 498 domains out of a million were using DMARC.

However, after a bit of manual analysis, we discovered that the scanner didn’t actually function as intended.  It did find DMARC records but under the root of the domains, which is not the correct implementation of a DMARC record.   We updated the scanner to look for DMARC records in the correct location but restricted it to domains using DMARC incorrectly. We discovered 83 of the 498 did actually have the correct DMARC record in place (just an incorrect DMARC record as well).  The remaining domains…well, the good news is they tried to implement DMARC, the bad news is, they just have not done so correctly.

In order for DMARC to function correctly, the DMARC TXT record must always start with “_dmarc” in order for DMARC to function as intended.  For example, the correct record should appear as follows:

_dmarc.<FQDN> IN TXT “v=DMARC1; p=quarantine; rua=mailto:<email address>; ruf=mailto:<email address>; fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine”

NOT

<FQDN> IN TXT “v=DMARC1; p=quarantine; rua=mailto:<email address>; ruf=mailto:<email address>; fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine”

 

Simply put, the DMARC TXT record must always start with “_dmarc” in order for DMARC to function as intended.

Putting the DMARC record in the incorrect location is not the only type of error that most organizations make.  For more information, we recommend you read a blog written by Steve Jones from DMARC.org (Most common problems with DMARC records) which lists the most common errors when it comes to implementing DMARC records, with interesting statistics supporting his findings.

We did adjust the scanner to look for the DMARC records that are implemented correctly (using _dmarc.<FQDN>).  The results were much different, as expected.  Of the one million domains, only 12,342 domains are using DMARC at various policy levels.  Fifty-one of which contain errors.

dmarc_alexa_1mill

Another item of concern is the larger number of DMARC policies set to ‘None’, which will be discussed further in future posts.