DMARC

Recommended Reading

This guide only provides a quick simplified overview of DMARC and a howto for

configuring your DNS resource records. To better understand the subject, you

should check out the official DMARC website.

DNS for Rocket Scientists is

also helpful.

Why DMARC

To prevent phishing emails and spam, we use SPF and DKIM. However, sometimes real

messages may not authenticate properly, and other times fake messages may get

accepted. Senders need some way to get feedback on how many emails are being

sent and marked as fake. This helps with troubleshooting, improving delivery

rates, and detecting fraud.

The Domain-based Message Authentication, Reporting and Conformance (DMARC)

provides a way for mail senders and receivers to share this information.

DMARC helps:

reduce false positives

report on how much mail has authenticated

tell the receiver the sender's policy

reduce phishing

Inside a DMARC record, you tell the mail server:

if you are using DKIM, SPF, or both.

how to handle mail that doesn't validate.

if you want a feedback report, and how to report.

Note that DMARC uses DKIM and SPF; it does not replace either.

To use DMARC, you just add a TXT record in your DNS zone:

How it works

|| border=1 width=100%25 class="sortable simpletable"

||# Tag ||# Indicates ||# Example ||# Meaning ||

|| v || DMARC version || v=DMARC1 || First DMARC version; DMARC must be all uppercase; required ||

|| pct || Percent of mail to filter || pct=20 || Filter 20%25 of mails; increase slowly over time to detect configurations mistakes gradually ||

|| ruf || Reporting URI for forensic reports || ruf=mailto:postmaster@example.com || Report to postmaster@example.com[[<<]]Warning: make sure the address is inside the current zone or else you need an extra DMARC record ||

|| rua || Reporting URI of aggregate reports || rua=mailto:postmaster@example.com || Report to postmaster@example.com[[<<]]Warning: make sure the address is inside the current zone or else you need an extra DMARC record ||

|| p || Policy for domain || p= || Required; applies to domain (and subdomains if sp= not specified) ||

|| || || p=none || No advice given ||

|| || || p=quarantine || If checks fail, mail is suspicious ||

|| || || p=reject || If checks fail, reject mail ||

|| sp || Policy for subdomains || sp= || Same as above, but for subdomains only ||

|| adkim || Strictness of DKIM headers|| adkim= || (Optional; default adkim=r) Checks if d=name matches ||

|| || || adkim=r || Relaxed; subdomains of d=name are accepted ||

|| || || adkim=s || Strict; subdomains of d=name not accepted ||

|| aspf || Strictness of From headers || aspf= || (Optional; default aspf=r) Checks MAIL FROM (SMTP) and From: header in message ||

|| || || aspf=r || Relaxed; subdomains of d=name are accepted ||

|| || || aspf=s || Strict; subdomains of d=name not accepted ||

|| fo || When to Report || fo= || (Optional; default fo=0) ||

|| || || fo=0 || Send only if all requested checks fail ||

|| || || fo=1 || Send if any requested checks fail ||

|| || || fo=d || Send if DKIM fails ||

|| || || fo=s || Send if SPF fails ||

Example Records

TXT records are used to store DMARC information to avoid having to upgrade DNS

software to support special resource record types.

Permit and Report Everything

_dmarc     IN    TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"

Between the two quotation marks "", we put in our DMARC information, which is made up

of key=value pairs separated by semicolons ;.

|| border=1 width=100%25 class="sortable simpletable"

||# Pair ||# Meaning ||

|| v=DMARC1 || First DMARC version ||

|| p=none || No advice is given ||

|| pct=0 || Filter 0%25 of mails ||

|| fo=1 || Report all errors from DKIM and SPF ||

|| rua=mailto:postmaster@example.com || Send user aggregate reports to postmaster@example.com ||

|| ruf=mailto:postmaster@example.com || Send forensic reports to postmaster@example.com ||

This record will provide you with reports for both DKIM/SPF, but will not

enforce any filtering whatsoever. This makes this entry very useful for testing

out if a new mail server is configured properly. However, this loose configuration

may allow more spammers to spoof your domain because bad email is not rejected.

Reject and Quarantine All Failed Mail

_dmarc     IN    TXT "v=DMARC1;p=reject;sp=quarantine;pct=100;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"

|| border=1 width=100%25 class="sortable simpletable"

||# Pair ||# Meaning ||

|| v=DMARC1 || First DMARC version ||

|| p=reject || Reject failed mail from example.com ||

|| sp=quarantine || Quarantine failed mail from .example.com ||

|| pct=100 || Filter 100%25 of mails ||

|| fo=1 || Report all errors from DKIM and SPF ||

|| rua=mailto:postmaster@example.com || Send user aggregate reports to postmaster@example.com ||

|| ruf=mailto:postmaster@example.com || Send forensic reports to postmaster@example.com ||

This rejects and quarantines all mail where DKIM and SPF are not perfectly configured.

This is very good at stopping spam and phishing pretending to come from your domain.

Warning: you may lose a lot of real mail if there is a misconfiguration. May

cause issues when mail is forwarded by mailing lists.