How to Use dig to Find DMARC Records for a Domain?

Nicholas Saunders

1/11/23, 2:18 AM

Given this query:

nicholas@mordor:~$ 
nicholas@mordor:~$ dig  TXT  _dmarc.cisco.com

; <<>> DiG 9.16.8-Ubuntu <<>> TXT _dmarc.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3976
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_dmarc.cisco.com.      IN  TXT

;; ANSWER SECTION:
_dmarc.cisco.com.   1238    IN  TXT "v=DMARC1; p=quarantine; pct=0; fo=1; ri=3600; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected],mailto:[email protected];"

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Sep 10 19:21:51 PDT 2021
;; MSG SIZE  rcvd: 231

nicholas@mordor:~$ 
nicholas@mordor:~$ uname -a
Linux mordor 5.11.0-34-generic #36-Ubuntu SMP Thu Aug 26 19:22:09 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
nicholas@mordor:~$

How is it known whether the DMARC record exists or not for Cisco?

Even better, what would be a counter-example where there's not a DMARC record? How would such a query result differ?

If the Answer section lacks such an entry as:

;; ANSWER SECTION:
_dmarc.cisco.com.   1238    IN  TXT "v=DMARC1; p=quarantine; pct=0; fo=1; ri=3600; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected],mailto:[email protected];"

then there's a missing DMARC record?

257

0 + 0

server

command-line

networking

dns

Gordon Davisson

1/11/23, 8:41 PM

The result is easier to see if you use the `+short` option; that just gives the answer, without any of the surrounding guff. If you want *just a little* verbosity, try e.g. `host -t TXT _dmarc.cisco.com`

Score:3

Ubuntu

denNorske

1/11/23, 8:30 PM

Correct,

if the answer section is missing, there is no record on that subdomain/DNS entry you are looking up, e.g _dmarc.domain.com

If I were to do checks for myself, I would probably just check if the command outputs v=DMARC1, like: dig TXT _dmarc.domain.com | grep v=DMARC1

However, this does not mean that the DMARC is valid. Dig does not check this in itself, so further processing of the output is required, for example regex, or online tools providing validation services such as mxtoolbox.

0 + 0

Nicholas Saunders

1/11/23, 9:01 PM

Would be interested in further details towards understanding what online services are doing these checks and how they're checking. I just use `mxtoolbox` for this magic.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to Use dig to Find DMARC Records for a Domain?

TH: จะใช้การขุดเพื่อค้นหาระเบียน DMARC สำหรับโดเมนได้อย่างไร

RO: Cum se utilizează dig pentru a găsi înregistrări DMARC pentru un domeniu?

RU: Как использовать dig для поиска записей DMARC для домена?

VI: Làm cách nào để sử dụng dig để tìm bản ghi DMARC cho miền?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.