[Email DLP] Publishing DMARC Records

Target

• Customers who have not configured a DMARC record for the email domains used with Email DLP

Purpose

DMARC is a security mechanism that allows you to determine whether the sender address displayed in an email has been spoofed (Domain-based Message Authentication, Reporting, and Conformance).
It is one of the email domain authentication technologies, and by verifying the sender address (Header From) displayed in the email based on the authentication results of SPF and DKIM, it helps prevent spoofing and ensures that emails sent from the sender are from a trusted domain.
In addition, the DMARC policy allows you to determine how emails are handled after being checked against SPF and DKIM records.

Notes

1. We recommend performing this procedure for all custom domains used for email.
2. You must have already added an SPF record and configured DKIM in advance.
3. Since HENNGE does not have access to your network's DNS settings, your domain administrator or domain management service provider may need to perform this procedure to complete the setup.
4. The configuration described in this Help Center is the minimum DMARC setup required to comply with the guidelines published by Microsoft or Google.
   The guidelines recommend specifying p=none as the DMARC policy to monitor emails that fail authentication.
5. The content of this article is based on the product as of January 2026 and is subject to change without notice.

Procedure

Adding a DMARC Record

1. Publish the following DMARC record in the DNS for your domain.
* The method for adding a TXT record on the DNS server varies depending on the server.
Please check with your DNS service provider for details.

Name of TXT Record
* Depending on the DNS service, the trailing "." (dot) may not be required.
In that case, configure the record without the dot.

_dmarc.

Value of TXT Record
* "p=none" means that the receiving server will deliver emails that fail authentication as is.

v=DMARC1; p=none

Configuration Example
* Tags such as "rua" are not required.
* For the meaning of each tag, please refer to the Google site or Microsoft site.

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Verifying the DMARC Record

For all domains where DKIM has been added, please follow the steps below.

1. In the Email DLP Administration, go to [Tenant Settings] – [DMARC Coverage].

   

2. Confirm that the status of the domain where DMARC was added is as follows:
   • Status: Partially Compliant
   • DMARC: Enabled
   • DKIM: Enabled
   • SPF: Enabled

Frequently Asked Questions

How can I strengthen the DMARC policy?

Please refer to the following article:
About Strengthening the DMARC Policy

Reference Information

• Notice on Microsoft’s New Email Sending Policy
• Notice on Google’s New Email Sending Policy
• DMARC Record Checker (external site)