DMARC
Recommended Reading
This guide only provides a quick simplified overview of DMARC and a howto for
configuring your DNS resource records. To better understand the subject, you
should check out the official DMARC website.
also helpful.
Why DMARC
To prevent phishing emails and spam, we use SPF and DKIM. However, sometimes real
messages may not authenticate properly, and other times fake messages may get
accepted. Senders need some way to get feedback on how many emails are being
sent and marked as fake. This helps with troubleshooting, improving delivery
rates, and detecting fraud.
The Domain-based Message Authentication, Reporting and Conformance (DMARC)
provides a way for mail senders and receivers to share this information.
DMARC helps:
reduce false positives
report on how much mail has authenticated
tell the receiver the sender's policy
reduce phishing
Inside a DMARC record, you tell the mail server:
if you are using DKIM, SPF, or both.
how to handle mail that doesn't validate.
if you want a feedback report, and how to report.
Note that DMARC uses DKIM and SPF; it does not replace either.
To use DMARC, you just add a TXT record in your DNS zone:
How it works
|| border=1 width=100%25 class="sortable simpletable"
||# Tag ||# Indicates ||# Example ||# Meaning ||
|| v || DMARC version || v=DMARC1 || First DMARC version; DMARC must be all uppercase; required ||
|| pct || Percent of mail to filter || pct=20 || Filter 20%25 of mails; increase slowly over time to detect configurations mistakes gradually ||
|| ruf || Reporting URI for forensic reports || ruf=mailto:postmaster@example.com || Report to postmaster@example.com[[<<]]Warning: make sure the address is inside the current zone or else you need an extra DMARC record ||
|| rua || Reporting URI of aggregate reports || rua=mailto:postmaster@example.com || Report to postmaster@example.com[[<<]]Warning: make sure the address is inside the current zone or else you need an extra DMARC record ||
|| p || Policy for domain || p=
|| || || p=none || No advice given ||
|| || || p=quarantine || If checks fail, mail is suspicious ||
|| || || p=reject || If checks fail, reject mail ||
|| sp || Policy for subdomains || sp=
|| adkim || Strictness of DKIM headers|| adkim=
|| || || adkim=r || Relaxed; subdomains of d=name are accepted ||
|| || || adkim=s || Strict; subdomains of d=name not accepted ||
|| aspf || Strictness of From headers || aspf=
|| || || aspf=r || Relaxed; subdomains of d=name are accepted ||
|| || || aspf=s || Strict; subdomains of d=name not accepted ||
|| fo || When to Report || fo=
|| || || fo=0 || Send only if all requested checks fail ||
|| || || fo=1 || Send if any requested checks fail ||
|| || || fo=d || Send if DKIM fails ||
|| || || fo=s || Send if SPF fails ||
Example Records
TXT records are used to store DMARC information to avoid having to upgrade DNS
software to support special resource record types.
Permit and Report Everything
_dmarc IN TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"
Between the two quotation marks "", we put in our DMARC information, which is made up
of key=value pairs separated by semicolons ;.
|| border=1 width=100%25 class="sortable simpletable"
||# Pair ||# Meaning ||
|| v=DMARC1 || First DMARC version ||
|| p=none || No advice is given ||
|| pct=0 || Filter 0%25 of mails ||
|| fo=1 || Report all errors from DKIM and SPF ||
|| rua=mailto:postmaster@example.com || Send user aggregate reports to postmaster@example.com ||
|| ruf=mailto:postmaster@example.com || Send forensic reports to postmaster@example.com ||
This record will provide you with reports for both DKIM/SPF, but will not
enforce any filtering whatsoever. This makes this entry very useful for testing
out if a new mail server is configured properly. However, this loose configuration
may allow more spammers to spoof your domain because bad email is not rejected.
Reject and Quarantine All Failed Mail
_dmarc IN TXT "v=DMARC1;p=reject;sp=quarantine;pct=100;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"
|| border=1 width=100%25 class="sortable simpletable"
||# Pair ||# Meaning ||
|| v=DMARC1 || First DMARC version ||
|| p=reject || Reject failed mail from example.com ||
|| sp=quarantine || Quarantine failed mail from
|| pct=100 || Filter 100%25 of mails ||
|| fo=1 || Report all errors from DKIM and SPF ||
|| rua=mailto:postmaster@example.com || Send user aggregate reports to postmaster@example.com ||
|| ruf=mailto:postmaster@example.com || Send forensic reports to postmaster@example.com ||
This rejects and quarantines all mail where DKIM and SPF are not perfectly configured.
This is very good at stopping spam and phishing pretending to come from your domain.
Warning: you may lose a lot of real mail if there is a misconfiguration. May
cause issues when mail is forwarded by mailing lists.