Knowing DMARC Records and Setting Them Up Correctly

0
57

What is DMARC?

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

Knowing SPF Records and Setting Them Up Correctly

Before you start

Before you set up DMARC, we recommend you set up Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). DMARC uses SPF and DKIM to verify that messages are authentic. Messages that do not pass SPF or DKIM trigger your DMARC policy.

DMARC with third-party email providers

For DMARC to effectively manage suspicious messages, messages should be sent from your own domain. Messages sent from third-party email providers for your organization can appear invalid and be rejected, depending on the DMARC policy.

To prevent messages from third-party email providers from being marked invalid:

  • Share your DKIM key with the mail provider so they can add the key to outgoing messages.
  • Ask the mail provider to send messages through your network.

Setup a DMARC Record in DNS

For this i assume you already have SPF and DKIM Records. You can add DMARC Record and setup it in 3 ways.

  • Replace the example domain in these steps with your domain.
  • Replace the example values with values for your own DMARC policy.

Add a DNS record at _dmarc

TXT record name: In the first field, under DNS Host name, enter:

_dmarc.example.com

TXT record value: In the second field, enter the values that define your DMARC policy, for example:

v=DMARC1; rua=mailto:dmarc-reports@example.com; p=quarantine; pct=90; sp=none

Here, v is for DMARC Protocol and is required, rua is to send DMARC Reports to your email address and is optional, p is how messages are handled and is required, pct is what Sets the percent of suspicious messages that the DMARC policy applies to, Suspicious messages are messages that fail the DMARC check and this is optional, sp is to set policy for sub domains if there is no different settings for them and its values can be same as values of p.

DMARC TXT record values (Source: Google)

Note: Gmail does not support the DMARC ruf tag, used to send failure (forensic) reports.

Tag Name Required Description and values

v

Required Protocol version. Must be DMARC1.

p

Required Defines how your domain handles suspicious messages:

  • none: Take no action on the message. Log suspicious messages in the daily report.
  • quarantine: Mark the messages as spam and move to recipient’s Gmail spam folder. Recipients can use Gmail to review their spam messages.
  • reject: Tell receiving servers to reject the message. Whent his happens, the receiving server should send a bounce to the sending server.

pct

Optional Sets the percent of suspicious messages that the DMARC policy applies to. Suspicious messages are messages that fail the DMARC check.

Must be a whole number between 1 and 100. The default is 100.

rua

Optional Email address to receive reports about DMARC activity for your domain. Use your own email address or create a new email address to receive reports. To send the report to more than one email address, separate emails with a comma.

sp

Optional Sets the policy for messages from subdomains of your main domain. Use this option if you want to use a different DMARC policy for your subdomains.

  • none: Take no action on the message. Log suspicious messages in the daily report.
  • quarantine: Mark the messages as spam and hold it for more processing.
  • reject: Instruct receiving servers to reject the message.
adkim Optional Sets the Alignment mode for DKIM, which defines how exactly message information must match DKIM signatures.

  • r: (Default) Relaxed. Allow partial matches, for example subdomains within a domain.
  • s: Strict. Require an exact match.

aspf

Optional Sets the Alignment mode for SPF (ASPF), which defines how exactly message information must match SPF signatures.

  • r: (Default) Relaxed. Allow partial matches, for example subdomains within a domain.
  • s: Strict. Require an exact match.

 

Godaddy Shared Hosting doesn’t supports DKIM Signing from Customer Domains as they disabled this is cPanel. Google Suite has its own method to setup DKIM Signing while SendGrid, Amazon SES and othersprovides these in their console.

Check for errors using MXChecker from Google

Recommended Free Service to Setup DMARC Record is https://dmarc.postmarkapp.com