Skip to content

DMARC

What is a DMARC Record?

DMARC stands for Domain-based message authentication, reporting and conformance. DMARC is not a product. It’s a freely available technical specification and widely supported across the Internet. Anyone owning a domain name can take advantage of DMARC.

A DMARC policy allows a domain owner to indicate that emails from his/her domain is protected by SPF and DKIM. You can use DMARC to discover all legitimate sources of email. DMARC builds upon two existing technologies: SPF and DKIM.

To create DMARC record, you must make sure your already have set up SPF and DKIM records.

Creating a DMARC Record

Send a test email from your domain, then check the raw email. You want to make sure the domains in Return Path, From: header and d=domain in the DKIM signature are the same. If the 3 domains are identical, then they are aligned.

If Return-Path or DKIM d= uses a subdomain instead of the main domain name, then this is called relaxed alignment. If no subdomain is used and the main domain names are the same, then it’s called strict alignment.

Go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following:

v=DMARC1; p=none; pct=100; fo=1; rua=mailto:dmarc-reports@example.com

obviously ensuring the the email address actually exists (create an alias).

Explanation:

  • v=MARC1: The protocol version is DMARC1.
  • p=none: We choose none as the policy for our domain.
  • pct=100: The percentage of emails from your domain DMARC applies to
  • rua stands for reporting URI for aggregate report. The email address is used to tell receiving email servers where report should be sent.

There are 3 policies you can choose from:

  • none: tells receiving email servers not to do anything special if DMARC check fails.
  • quarantine: tells receiving email server to put the email into spam folder if DMARC check fails.
  • reject: tells receiving email servers to reject the email if DMARC check fails

p=none is a good start. You should analyze the data for some time. Once you have enough data, you can change the policy from none to quarantine or reject.

There’s another tag that you can add to the DMARC record: fo. It has four possible values.

  • 0 (default): generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result
  • 1: generate reports if any mechanisms fail.
  • d: generate report if DKIM signature failed to verify
  • s: generate report if SPF failed

Testing the DMARC Record

Test using dig:

dig txt +short _dmarc.example.com

And the opendmarc-check command:

apt install opendmarc
opendmarc-check example.com

You can also test using the online service at https://www.mail-tester.com

DMARC Reports

Normally you only want to receive the aggregate report. The data that DMARC produces is invaluable for understanding what is going on for any given email domain. However, raw DMARC report data is extremely hard to read and understand. Luckily, Postmark (http://dmarc.postmarkapp.com/) offers a free service to process these reports, presents you a much more readable report. The nice part about Postmark is that you can tell receiving email servers to send XML reports directly to Postmark for processing. So instead of entering your email address in the DMARC record, you enter an email address of postmarkapp.com that is unique to you.

v=DMARC1; p=none; pct=100; fo=1; rua=mailto:unique-to-you@dmarc.postmarkapp.com,mailto:dmarc-report@example.com;

To better understand unknown sources in the report and how your domains are used, you can choose to receive forensic report by adding the ruf tag in DMARC record like below.

v=DMARC1; p=none; pct=100; fo=1; rua=mailto:unique-to-you@dmarc.postmarkapp.com; ruf=mailto:forensic-report@example.com;

The forensic report contains the copies of emails that failed DMARC check. You can see the email header and body to determine the nature of failed emails. Note that some email servers may choose to generate aggregate report but not forensic report due to privacy concerns.

Further Reading: https://dmarc.org/wiki/FAQ

ADSP (Optional)

As a final item, you can add an ADSP policy to your domain saying that all emails from your domain should be DKIM-signed. As usual, it’s done with a TXT record for host _adsp._domainkey in your domain with a value of dkim=all.

You don’t need to set this up, but doing so makes it harder for anyone to forge email from your domains because recipient mail servers will see the lack of a DKIM signature and reject the message.

Further Reading: https://en.wikipedia.org/wiki/Author_Domain_Signing_Practices