Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Email
1

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a protocol that uses SPF and DKIM to determine the authenticity of an email message. DMARC makes it easier for Internet Service Providers (ISPs) to prevent spoofed emails from arriving in user inboxes. The goal of this article is to explain DMARC and to provide guidance on the syntax of a DMARC record.

Prerequisite articles

SPF Explained

DKIM Explained

How DMARC Works

DMARC works by adding policies to your domain’s DNS records. These policies specify how mail servers should handle messages from your domain that fail SPF or DKIM checks.

When a receiving server gets an email, it first checks the SPF record to see if the sender IP is authorized. Next, it verifies the DKIM signature. If either the SPF or DKIM check passes, the server then checks the alignment of the domain in the From: header against the domain in the SPF or DKIM check. If the domains are aligned, and at least one of the SPF or DKIM checks passed, the DMARC check will pass.

DMARC Record

A DMARC record is a TXT record in DNS that might look like this:

Name: _dmarc.yourdomain.com
Type: TXT
TTL: 3600
Value: v=DMARC1; p=reject; rua=mailto:[email protected]

DMARC Syntax guide

REQUIRED TAGS

  1. Version (v): This tag is required and indicates the version of DMARC. The current and only version at this time is “DMARC1”.Example: v=DMARC1
  2. Policy (p): This tag is also required and indicates the policy to apply to emails that fail the DMARC check. The options are none, quarantine, or reject. none means no specific action is to be taken regarding delivery of messages. quarantine means treat the mail as suspicious (e.g., it could be put into the spam folder). reject means the email should be rejected outright.Example: p=reject
  3. Report URI Aggregate (rua): This tag is optional and provides an email address to which aggregate reports of DMARC failures should be sent. These reports provide an overview of the authentication status of all messages claiming to be from the sender’s domain. They are useful for understanding trends and attempting to identify possible issues.Example: rua=mailto:[email protected]

OPTIONAL TAGS

  1. Report URI Forensic (ruf): This is where detailed forensic reports should be sent. These reports are generated when individual messages fail DMARC.
  2. Percentage (pct): This tag tells receivers what portion of mail that fails the DMARC check should have the DMARC policy applied. For example, pct=20 means apply the DMARC policy to only 20% of the email that fails the DMARC check.
  3. Subdomain Policy (sp): This tag allows you to specify a different policy for subdomains. For example, you could have a p=reject policy for your main domain but sp=none for your subdomains.
  4. Identifier Alignment (adkim, aspf): These tags allow you to set strict or relaxed identifier alignment to determine how closely the domains in the DKIM and SPF results must align with the domain in the header-from field.

If you have any questions or encounter issues, please don’t hesitate to reach out to [email protected].