🚀
DNSControl
🚀
DNSControl
  • Introduction to DNSControl
  • Getting Started
    • Overview
    • Examples
    • Migrating zones to DNSControl
    • TypeScript autocomplete and type checking
  • Language Reference
    • JavaScript DSL
    • Top Level Functions
      • D
      • DEFAULTS
      • DOMAIN_ELSEWHERE
      • DOMAIN_ELSEWHERE_AUTO
      • D_EXTEND
      • FETCH
      • HASH
      • IP
      • NewDnsProvider
      • NewRegistrar
      • PANIC
      • REV
      • REVCOMPAT
      • getConfiguredDomains
      • require
      • require_glob
    • Domain Modifiers
      • A
      • AAAA
      • ALIAS
      • AUTODNSSEC_OFF
      • AUTODNSSEC_ON
      • CAA
      • CAA_BUILDER
      • CNAME
      • DHCID
      • DNAME
      • DNSKEY
      • DISABLE_IGNORE_SAFETY_CHECK
      • DMARC_BUILDER
      • DS
      • DefaultTTL
      • DnsProvider
      • FRAME
      • HTTPS
      • IGNORE
      • IGNORE_NAME
      • IGNORE_TARGET
      • IMPORT_TRANSFORM
      • IMPORT_TRANSFORM_STRIP
      • INCLUDE
      • LOC
      • LOC_BUILDER_DD
      • LOC_BUILDER_DMM_STR
      • LOC_BUILDER_DMS_STR
      • LOC_BUILDER_STR
      • M365_BUILDER
      • MX
      • NAMESERVER
      • NAMESERVER_TTL
      • NAPTR
      • NO_PURGE
      • NS
      • PTR
      • PURGE
      • SOA
      • SPF_BUILDER
      • SRV
      • SSHFP
      • SVCB
      • TLSA
      • TXT
      • URL
      • URL301
      • Service Provider specific
        • Akamai Edge Dns
          • AKAMAICDN
        • Amazon Route 53
          • R53_ALIAS
        • Azure DNS
          • AZURE_ALIAS
        • Cloudflare DNS
          • CF_REDIRECT
          • CF_SINGLE_REDIRECT
          • CF_TEMP_REDIRECT
          • CF_WORKER_ROUTE
        • ClouDNS
          • CLOUDNS_WR
    • Record Modifiers
      • TTL
      • Service Provider specific
        • Amazon Route 53
          • R53_ZONE
          • R53_EVALUATE_TARGET_HEALTH
    • Why CNAME/MX/NS targets require a "dot"
  • Provider
    • Supported providers
    • Akamai Edge DNS
    • Amazon Route 53
    • AutoDNS
    • AXFR+DDNS
    • Azure DNS
    • Azure Private DNS
    • BIND
    • Bunny DNS
    • CentralNic Reseller (CNR) - formerly RRPProxy
    • Cloudflare
    • ClouDNS
    • CSC Global
    • deSEC
    • DigitalOcean
    • DNS Made Easy
    • DNSimple
    • DNS-over-HTTPS
    • DOMAINNAMESHOP
    • Dynadot
    • easyname
    • Exoscale
    • Gandi_v5
    • Gcore
    • Google Cloud DNS
    • Hetzner DNS Console
    • HEXONET
    • hosting.de
    • Huawei Cloud DNS
    • Hurricane Electric DNS
    • Internet.bs
    • INWX
    • Linode
    • Loopia
    • LuaDNS
    • Microsoft DNS Server on Microsoft Windows Server
    • Mythic Beasts
    • Namecheap
    • Name.com
    • Netcup
    • Netlify
    • NS1
    • OpenSRS
    • Oracle Cloud
    • OVH
    • Packetframe
    • Porkbun
    • PowerDNS
    • Realtime Register
    • RWTH DNS-Admin
    • Sakura Cloud
    • SoftLayer DNS
    • TransIP
    • Vultr
  • Commands
    • preview/push
    • check-creds
    • get-zones
    • get-certs
    • fmt
    • creds.json
    • Global Flag
    • Disabling Colors
  • Advanced features
    • CI/CD example for GitLab
    • CLI variables
    • Nameservers and Delegations
    • Notifications
    • Useful code tricks
    • JSON Reports
  • Developer info
    • Code Style Guide
    • Documentation Style Guide
    • DNSControl is an opinionated system
    • Writing new DNS providers
    • Creating new DNS Resource Types (rtypes)
    • Integration Tests
    • Test a branch
    • Unit Testing DNS Data
    • Bug Triage Process
    • Bring-Your-Own-Secrets for automated testing
    • Debugging with dlv
    • ALIAS Records
    • TXT record testing
    • DNS records ordering
  • Release
    • How to build and ship a release
    • Changelog v3.16.0
    • GitHub releases
Powered by GitBook
On this page
Edit on GitHub
  1. Language Reference
  2. Domain Modifiers

DMARC_BUILDER

DNSControl contains a DMARC_BUILDER which can be used to simply create DMARC policies for your domains.

Example

Simple example

dnsconfig.js
D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
  DMARC_BUILDER({
    policy: "reject",
    ruf: [
      "mailto:mailauth-reports@example.com",
    ],
  }),
);

This yield the following record:

@   IN  TXT "v=DMARC1; p=reject; ruf=mailto:mailauth-reports@example.com"

Advanced example

dnsconfig.js
D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
  DMARC_BUILDER({
    policy: "reject",
    subdomainPolicy: "quarantine",
    percent: 50,
    alignmentSPF: "r",
    alignmentDKIM: "strict",
    rua: [
      "mailto:mailauth-reports@example.com",
      "https://dmarc.example.com/submit",
    ],
    ruf: [
      "mailto:mailauth-reports@example.com",
    ],
    failureOptions: "1",
    reportInterval: "1h",
  }),
);
dnsconfig.js
D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
  DMARC_BUILDER({
    label: "insecure",
    policy: "none",
    ruf: [
      "mailto:mailauth-reports@example.com",
    ],
    failureOptions: {
        SPF: false,
        DKIM: true,
    },
  }),
);

This yields the following records:

@           IN  TXT "v=DMARC1; p=reject; sp=quarantine; adkim=s; aspf=r; pct=50; rua=mailto:mailauth-reports@example.com,https://dmarc.example.com/submit; ruf=mailto:mailauth-reports@example.com; fo=1; ri=3600"
insecure    IN  TXT "v=DMARC1; p=none; ruf=mailto:mailauth-reports@example.com; fo=d"

Parameters

  • label: The DNS label for the DMARC record (_dmarc prefix is added, default: "@")

  • version: The DMARC version to be used (default: DMARC1)

  • policy: The DMARC policy (p=), must be one of "none", "quarantine", "reject"

  • subdomainPolicy: The DMARC policy for subdomains (sp=), must be one of "none", "quarantine", "reject" (optional)

  • alignmentSPF: "strict"/"s" or "relaxed"/"r" alignment for SPF (aspf=, default: "r")

  • alignmentDKIM: "strict"/"s" or "relaxed"/"r" alignment for DKIM (adkim=, default: "r")

  • percent: Number between 0 and 100, percentage for which policies are applied (pct=, default: 100)

  • rua: Array of aggregate report targets (optional)

  • ruf: Array of failure report targets (optional)

  • failureOptions: Object or string; Object containing booleans SPF and DKIM, string is passed raw (fo=, default: "0")

  • failureFormat: Format in which failure reports are requested (rf=, default: "afrf")

  • reportInterval: Interval in which reports are requested (ri=)

  • ttl: Input for TTL method (optional)

Caveats

  • TXT records are automatically split using AUTOSPLIT.

  • URIs in the rua and ruf arrays are passed raw. You must percent-encode all commas and exclamation points in the URI itself.

PreviousDISABLE_IGNORE_SAFETY_CHECKNextDS

Last updated 5 months ago