Creating a DMARC policy

Overview

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an Inbound email policy built on top of SPF and DKIM records, designed to detect and prevent fraudulent email.

When you add a DMARC policy to your domain, you choose to inform the recipient that your emails are protected by SPF and/or DKIM records, and what to do if your DMARC policy fails alignment with those records.

Example of the DMARC sending process

  1. Sender adds a DMARC policy to their domain.
  2. An email is sent.
  3. The recipient checks if the email contains a DMARC policy.
  4. If so, the SPF/DKIM records mentioned in the sender's DMARC policy are validated.
  5. If the SPF/DKIM records pass validation, they must then pass something called 'alignment'.
  6. If 'alignment' is passed, the email is received.

If 'alignment' is not passed (even if SPF/DKIM check are passed), then the message fails. This helps to ensure that fraudulent activity appearing to come from the domain is blocked.

What is alignment?

The DMARC policy checks the domain name listed in the message's From: field. It then compares that domain to other authenticated domain names listed in the email's header. If they are identical, your DMARC policy is aligned.

If not, you should contact your email host and ask for instructions on how to ensure your records are aligned.

Strict and relaxed alignment

The alignment in your policy can be set as strict or relaxed.

  • Strict alignment — the domains must be identical
  • Relaxed alignment — the top-level "Organizational Domain" must match

The 'Organizational Domain' is your domain name followed by its suffix. For example:

  • example.com
  • example.net
  • example.com.au

What if the message fails alignment?

The sender's DMARC policy contains information on how to handle emails that fail authentication. Two types of reports can be created:

  • Aggregate reports — sent as XML format once a day, consisting of aggregate data of all DMARC failures
  • Forensic reports (aka Failure reports) — generated immediately and consist of individual emails that failed

Configuring a DMARC policy

  1. Configure an SPF and/or DKIM record on your domain.
  2. Send an email to yourself (or another address you own). Once received, view its headers. Verify domain alignment by identifying the domain listed as the sending address. It may be located in the following places:
    • The Envelope From domain —  From: admin@example.com
    • The Return-Path Return-Path — <admin@example.com>
    • The d=domain in the DKIM-Signature — DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=example.com;
    The domains mentioned in all of these areas must be identical, otherwise DMARC will fail alignment.
  3. Create two separate email addresses to receive DMARC daily aggregate and forensic reports. It’s recommended you create two email addresses since you may receive a large amount of reports. For example:

    • dmarc_agg@example.com
    • dmarc_forensic@example.com
  4. Create the TXT record.
    1. In your panel, navigate to the Manage Domains page.
    2. Click the 'DNS' link under your domain.
    3. When the following page opens, enter a new TXT record as shown in the following example:
      • Name — _dmarc
      • Type — TXT
      • Value — Below is a basic configuration that handles the majority of your DMARC needs. Just make sure to adjust the email addresses to the addresses you created above to receive incoming reports.
        v=DMARC1; p=none; fo=1; rua=mailto:dmarc_agg@example.com;ruf=mailto:dmarc_forensic@example.com;pct=100
        View the section below for further details on the different options you can use.

Within 4-6 hrs the record will update online.

Tags you can use in your DMARC record

Required tags

There are 2 required tags, v and p.

The v tag

The v tag identifies the text record as a DMARC record. This must be the first tag and have a value of DMARC1.

The p tag

The p tag identifies the action the domain owner requests the recipient to take for failed messages. Options are:

Tag Description
p=none No action should be taken for emails that fail DMARC authentication.
p=quarantine If an email fails DMARC authentication, it should be treated as suspicious. How this is handled is up to the recipient, for example, it may be placed in a SPAM folder.
p=reject If an email fails DMARC authentication, the recipient should reject the email  during the SMTP transaction.

Email tags

These indicate where reports are sent.

Tag Description
rua=mailto:dmarc_agg@example.com This address is where aggregate DMARC reports should be sent to.
ruf=mailto:dmarc_forensic@example.com Indicates where forensic DMARC reports should be sent to.

Reporting tag

fo controls when a failure report is created.

Tag Description
0 Creates a report if all authentication steps fail. (Default)
1 Creates a report if any authentication steps fail.
d Creates a DKIM failure report if the message had a signature that failed evaluation.
s Creates an SPF failure report if the message failed SPF authentication.

A setting of fo=1 is recommended as it provides the most amount of data about any failures.

Optional tags

The following tags use a default value if the tag isn't set:

Tag Description
adkim Sets a strict or relaxed DKIM identifier alignment. (The default is relaxed).
aspf Sets a strict or relaxed SPF identifier alignment. (The default is relaxed).
rf Format for failure reports. (The default is Authentication Failure Reporting Format, or 'AFRF').
ri Sets the number of seconds between sending aggregate reports. (The default value is 86,400 seconds, or one day).
pct Sets the percentage of messages DMARC is applied to. Setting this to 100 would apply to every email and is recommended.

Subdomain tag

The sp tag is used to set a different reporting policy for a subdomain. For example, you could set the primary domain to use p=reject while setting all subdomains under this domain to use sp=quarantine.

Tag Description
sp Sets a reporting policy for the subdomain, different form the primary domain. For example:
v=DMARC1; p=none; sp=quarantine;fo=1; rua=mailto:dmarc_agg@example.com;ruf=mailto:dmarc_forensic@example.com;pct=100<

See also

Did this article answer your questions?

Article last updated PST.