Flexible DMARC Record Matching

DMARC (Domain-based Message Authentication, Reporting, and Conformance) records define email authentication policies. Flexible matching for DMARC records allows you to verify essential DMARC components are present while giving customers flexibility to adjust policy settings.

Understanding DMARC Monitoring

DMARC records are TXT records published at the _dmarc subdomain. They control how email servers handle authentication failures and where to send reports.

Example DMARC record:

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com; adkim=s; aspf=s

The Flexibility Problem

With exact matching, any policy adjustment triggers an alert:

curl -X POST https://api.dnsradar.dev/monitors \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
  "domain": "piedpiper.com",
  "subdomain": "_dmarc",
  "record_type": "TXT",
  "expected_value": "v=DMARC1; p=reject; pct=100; adkim=s; aspf=s",
  "is_exact_match": true
}'

If the customer changes pct=100 to pct=50 or adds a rua tag for reports, your monitor triggers a false alert.

Enabling Flexible DMARC Matching

Use flexible matching to verify only the DMARC components that matter to you by setting the is_exact_match parameter to false:

curl -X POST https://api.dnsradar.dev/monitors \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
  "domain": "piedpiper.com",
  "subdomain": "_dmarc",
  "record_type": "TXT",
  "expected_value": "v=DMARC1",
  "is_exact_match": false
}'

How Flexible Matching Works

With is_exact_match: false for DMARC records, DNSRadar:

  1. Verifies the record starts with v=DMARC1
  2. Checks that all tags in your expected_value are present
  3. Ignores additional tags or modified tag values not in your expected value

Valid DMARC Variations

With the flexible configuration above, these DMARC records would all be VALID:

v=DMARC1; p=none
v=DMARC1; p=quarantine; pct=50
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@example.com
v=DMARC1; p=reject; rua=mailto:reports@example.com; adkim=s; aspf=s

All contain the required v=DMARC1 version tag, so they pass validation.

Monitoring Specific DMARC Tags

Require specific DMARC policy tags while allowing others to vary:

curl -X POST https://api.dnsradar.dev/monitors \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
  "domain": "piedpiper.com",
  "subdomain": "_dmarc",
  "record_type": "TXT",
  "expected_value": "v=DMARC1; p=reject",
  "is_exact_match": false
}'

This ensures the customer maintains a p=reject policy while allowing them to adjust reporting addresses, percentages, and alignment modes.

Enforcing Strict Alignment

Require strict DKIM and SPF alignment:

curl -X POST https://api.dnsradar.dev/monitors \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
  "domain": "piedpiper.com",
  "subdomain": "_dmarc",
  "record_type": "TXT",
  "expected_value": "v=DMARC1; adkim=s; aspf=s",
  "is_exact_match": false
}'

This configuration ensures both adkim=s (strict DKIM alignment) and aspf=s (strict SPF alignment) are present, regardless of other DMARC settings.

When Monitors Trigger

A MISMATCH alert is triggered if:

  • The DMARC record is removed
  • The v=DMARC1 version tag is missing
  • Required tags from your expected_value are removed

DMARC Tag Reference

Common DMARC tags you might want to monitor:

TagPurposeExample
vVersion (required)v=DMARC1
pPolicy for domainp=reject
spPolicy for subdomainssp=quarantine
pctPercentage of messages to filterpct=100
ruaAggregate report URIrua=mailto:dmarc@example.com
rufForensic report URIruf=mailto:forensic@example.com
adkimDKIM alignment modeadkim=s (strict)
aspfSPF alignment modeaspf=r (relaxed)

Best Practices

  1. Start with Basic Monitoring: Begin by monitoring for v=DMARC1 presence only
  2. Gradually Add Requirements: As customers mature their email authentication, add policy requirements
  3. Allow Reporting Flexibility: Don't enforce specific rua or ruf values unless necessary
  4. Document Expectations: Clearly communicate DMARC requirements to customers
  5. Combine with SPF/DKIM: Monitor DMARC alongside SPF and DKIM for comprehensive email security

Monitoring Email Authentication Stack

Complete email authentication monitoring:

curl -X POST https://api.dnsradar.dev/monitors/bulk \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
  "monitors": [
    {
      "domain": "piedpiper.com",
      "record_type": "TXT",
      "expected_value": "v=spf1 include:_spf.service.com",
      "is_exact_match": false
    },
    {
      "domain": "piedpiper.com",
      "subdomain": "_dmarc",
      "record_type": "TXT",
      "expected_value": "v=DMARC1",
      "is_exact_match": false
    },
    {
      "domain": "piedpiper.com",
      "subdomain": "default._domainkey",
      "record_type": "TXT",
      "expected_value": "v=DKIM1; k=rsa",
      "is_exact_match": false
    },
    {
      "domain": "piedpiper.com",
      "record_type": "MX",
      "expected_value": [
        "mx1.mail-provider.com",
        "mx2.mail-provider.com"
      ],
      "is_exact_match": true
    }
  ],
  "group": "email-authentication"
}'

Next Steps