DMARC
Recommended Reading
This guide only provides a quick simplified overview of DMARC and a howto for configuring your DNS resource records. To better understand the subject, you should check out the official DMARC website. DNS for Rocket Scientists is also helpful.
Why DMARC
To prevent phishing emails and spam, we use SPF and DKIM. However, sometimes real messages may not authenticate properly, and other times fake messages may get accepted. Senders need some way to get feedback on how many emails are being sent and marked as fake. This helps with troubleshooting, improving delivery rates, and detecting fraud.
The Domain-based Message Authentication, Reporting and Conformance (DMARC) provides a way for mail senders and receivers to share this information.
DMARC helps:
- reduce false positives
- report on how much mail has authenticated
- tell the receiver the sender's policy
- reduce phishing
Inside a DMARC record, you tell the mail server:
- if you are using DKIM, SPF, or both.
- how to handle mail that doesn't validate.
- if you want a feedback report, and how to report.
Note that DMARC uses DKIM and SPF; it does not replace either.
To use DMARC, you just add a TXT record in your DNS zone:
How it works
Tag | Indicates | Example | Meaning |
---|---|---|---|
v | DMARC version | v=DMARC1 | First DMARC version; DMARC must be all uppercase; required |
pct | Percent of mail to filter | pct=20 | Filter 20% of mails; increase slowly over time to detect configurations mistakes gradually |
ruf | Reporting URI for forensic reports | ruf=postmaster@example.com | Report to postmaster@example.com Warning: make sure the address is inside the current zone or else you need an extra DMARC record |
rua | Reporting URI of aggregate reports | rua=postmaster@example.com | Report to postmaster@example.com Warning: make sure the address is inside the current zone or else you need an extra DMARC record |
p | Policy for domain | p=<value> | Required; applies to domain (and subdomains if sp= not specified) |
p=none | No advice given | ||
p=quarantine | If checks fail, mail is suspicious | ||
p=reject | If checks fail, reject mail | ||
sp | Policy for subdomains | sp=<value> | Same as above, but for subdomains only |
adkim | Strictness of DKIM headers | adkim=<value> | (Optional; default adkim=r) Checks if d=name matches |
adkim=r | Relaxed; subdomains of d=name are accepted | ||
adkim=s | Strict; subdomains of d=name not accepted | ||
aspf | Strictness of From headers | aspf=<value> | (Optional; default aspf=r) Checks MAIL FROM (SMTP) and From: header in message |
aspf=r | Relaxed; subdomains of d=name are accepted | ||
aspf=s | Strict; subdomains of d=name not accepted | ||
fo | When to Report | fo=<value> | (Optional; default fo=0) |
fo=0 | Send only if all requested checks fail | ||
fo=1 | Send if any requested checks fail | ||
fo=d | Send if DKIM fails | ||
fo=s | Send if SPF fails |
Example Records
TXT records are used to store DMARC information to avoid having to upgrade DNS software to support special resource record types.
Permit and Report Everything
_dmarc IN TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"
Between the two quotation marks "", we put in our DMARC information, which is made up of key=value pairs separated by semicolons ;.
Pair | Meaning |
---|---|
v=DMARC1 | First DMARC version |
p=none | No advice is given |
pct=0 | Filter 0% of mails |
fo=1 | Report all errors from DKIM and SPF |
rua=postmaster@example.com | Send user aggregate reports to postmaster@example.com |
ruf=postmaster@example.com | Send forensic reports to postmaster@example.com |
This record will provide you with reports for both DKIM/SPF, but will not enforce any filtering whatsoever. This makes this entry very useful for testing out if a new mail server is configured properly. However, this loose configuration may allow more spammers to spoof your domain because bad email is not rejected.
Reject and Quarantine All Failed Mail
_dmarc IN TXT "v=DMARC1;p=reject;sp=quarantine;pct=100;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"
Pair | Meaning |
---|---|
v=DMARC1 | First DMARC version |
p=reject | Reject failed mail from example.com |
sp=quarantine | Quarantine failed mail from <subdomain>.example.com |
pct=100 | Filter 100% of mails |
fo=1 | Report all errors from DKIM and SPF |
rua=postmaster@example.com | Send user aggregate reports to postmaster@example.com |
ruf=postmaster@example.com | Send forensic reports to postmaster@example.com |
This rejects and quarantines all mail where DKIM and SPF are not perfectly configured. This is very good at stopping spam and phishing pretending to come from your domain.
Warning: you may lose a lot of real mail if there is a misconfiguration. May cause issues when mail is forwarded by mailing lists.