What is it about
Domain-based Message Authentication, Reporting and Conformance, that is the mechanism to identify and prevent email spoofing, to do this it uses SPF and DKIM and allows recipients to send reports in order to monitor the protection of the domain from fraudulent emails that are intended to deceive unsuspecting recipients.
The DMARC is a TXT type DNS record, it is based on SPF and DKIM
For this reason, first of all, it is necessary to implement, using the Hosting management panel, both the DKIM signature and the SPF record in our DNS record.
How does it work
DMARC tells mail-receiving servers what to do when a message arrives that appears to come from your organization, but fails authentication checks or does not meet authentication requirements in the DMARC policy record. Unauthenticated messages may have stolen your organization’s identity or come from unauthorized servers.
DMARC is always used with these two methods or email authentication checks:
- SPF (Sender Policy Framework), which allows the domain owner to authorize the IP addresses that are allowed to send email on behalf of the domain. Receiving servers can verify that messages that appear to come from a specific domain are sent by servers authorized by the domain owner.
- DKIM (Domain Keys Identified Mail), which adds a digital signature to every message sent. Receiving servers use the signature to verify that messages are authentic and have not been spoofed or modified in transit.
DMARC authorizes or rejects a message based on the level of correspondence between the From: header and the sender domain found by verifying the message using SPF or DKIM. This is called alignment. For this reason, before setting up DMARC for your domain, you need to activate SPF and DKIM.
Handling of messages that fail authentication (reception policy)
If a mail server receives a message from your domain that fails the SPF or DKIM check or both, DMARC tells the server how to handle the message. There are three options, defined by the DMARC policy in use:
- If the policy is set to none, no action is taken on the messages, which will be delivered normally.
- If the policy is set to quarantine, messages are marked as spam and sent to the recipients’ spam folder.
- If the policy is set to reject, messages are rejected and are not delivered to recipients.
The DMARC is configured only on the DNS side, through the generation of a TXT record:
- The record name should be _dmarc
- The record value will be generated from the table below
|v=||DMARC1||Mandatory value, it must be the first tag of the DMARC record, while the other tags are not case sensitive, this must be uppercase with the value v = DMARC1.|
|p=||It can take one of the following values: none: No specific warnings will be given to the destination mail server quarantine: Warns the destination mail server to treat any email that fails the DKIM and / or SPF test as suspicious and perform additional reject checks: Warn the destination mail server to reject any email that fails the DKIM and / or SPF test||Mandatory value, must be the second tag of the DMARC record. It defines the rules by which the destination mail servers will treat emails.|
|sp=||Same values as p = (reject, quarantine, none)||Optional value, if the sp tag is not present, the p tag will cover the main domain and all its subdomains. If the sp tag is present, it indicates the rules to be applied to all subdomains of the main domain. In this case the main domain is always covered by the p tag.|
|adkim=||r (relaxed – default) or s (strict)||Optional value, if the tag is omitted the default value will be adkim = r. Specifies the “alignment mode” for the DKIM signature.|
|aspf=||r (relaxed) or s (strict)||Optional value, if the tag is omitted the default value will be aspf = r. Specifies the “alignment mode” for SPF control.|
|pct=||Value between 0 and 100||Optional value, defines the percentage of emails to which the DMARC rules are applied. If the value is omitted the default value will be pct = 100, so all emails will be subjected to DMARC checks.|
|fo=||It can take one of the following values: 0: Generates the report to the sending mail server if all checks fail. If only DKIM is used as a security system and the DKIM test fails, the report will be sent. If only the SPF is used as a safety system and the SPF test fails, the report will be sent. If both DKIM and SPF are used, and the SPF fails but the DKIM test passes, the report will not be sent 1: Generates the report to the sending mail server if at least 1 check fails. If only DKIM is used as a security system and the DKIM test fails, the report will be sent. If only the SPF is used as a safety system and the SPF test fails, the report will be sent. If both DKIM and SPF are used, and the SPF fails but the DKIM test passes, the report will be sent d: Generates the report if the DKIM test fails s: Generates the report if the SPF test fails||Optional value, if the value is omitted the default value will be fo = 0. Defines the rules for when the DMARC report should be generated.|
|rf=||It can have one of the following values: afrf: The message format for the Abuse Report Format is defined by RFC 5965 iodef: The message format for the Incident Object Description Exchange Format is defined by the ‘RFC 5070||Optional value, if the value is omitted the default value will be rf = afrf. Defines the format of the DMARC report.|
|ri=||Defines the time interval of the reports in seconds||Optional value, if the value is omitted the default value will be ri = 86400, ie 1 day. Defines the time interval in seconds between the sending of a DMARC report and the other.|
|rua=||Defines the list of emails to which the aggregate report is sent||Optional value, if the value is not present the aggregate reports will not be sent. The email must have the format mailto: firstname.lastname@example.org|
|ruf=||Defines the list of emails to which the forensic report is sent||Optional value, if the value is not present the forensic reports will not be sent. The email must have the format mailto: email@example.com|
TXT record name: _dmarc
Value: v = DMARC1; p = reject; sp = reject; adkim = r; aspf = r; pct = 100; fo = 1; rf = afrf; ri = 86400; rua = mailto: firstname.lastname@example.org; ruf = mailto: email@example.com
After the configuration we can verify the DMARC using the tool MXtoolbox
We also check the deliverability of e-mail, to a domain address with Mail Tester