Domain-based Message Authentication, Reporting and Conformance (DMARC) is an Inbound email policy built on top of SPF and DKIM records, designed to detect and prevent fraudulent email.
When you add a DMARC policy to your domain, you choose to inform the recipient that your emails are protected by SPF and/or DKIM records, and what to do if your DMARC policy fails alignment with those records.
Example of the DMARC sending process
- Sender adds a DMARC policy to their domain.
- An email is sent.
- The recipient checks if the email contains a DMARC policy.
- If so, the SPF/DKIM records mentioned in the sender's DMARC policy are validated.
- If the SPF/DKIM records pass validation, they must then pass something called 'alignment'.
- If 'alignment' is passed, the email is received.
If 'alignment' is not passed (even if SPF/DKIM check are passed), then the message fails. This helps to ensure that fraudulent activity appearing to come from the domain is blocked.
What is alignment?
The DMARC policy checks the domain name listed in the message's From: field. It then compares that domain to other authenticated domain names listed in the email's header. If they are identical, your DMARC policy is aligned.
If not, you should contact your email host and ask for instructions on how to ensure your records are aligned.
Strict and relaxed alignment
The alignment in your policy can be set as strict or relaxed.
- Strict alignment — the domains must be identical
- Relaxed alignment — the top-level "Organizational Domain" must match
The 'Organizational Domain' is your domain name followed by its suffix. For example:
What if the message fails alignment?
The sender's DMARC policy contains information on how to handle emails that fail authentication. Two types of reports can be created:
- Aggregate reports — sent as XML format once a day, consisting of aggregate data of all DMARC failures
- Forensic reports (aka Failure reports) — generated immediately and consist of individual emails that failed
Configuring a DMARC policy
- Configure an SPF and/or DKIM record on your domain.
- Send an email to yourself (or another address you own). Once received, view its headers. Verify domain alignment by identifying the domain listed as the sending address. It may be located in the following places:
- The Envelope From domain — From: email@example.com
- The Return-Path Return-Path — <firstname.lastname@example.org>
- The d=domain in the DKIM-Signature — DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=example.com;
Create two separate email addresses to receive DMARC daily aggregate and forensic reports. It’s recommended you create two email addresses since you may receive a large amount of reports. For example:
- Create the TXT record.
- In your panel, navigate to the Manage Domains page.
- Click the link under your domain.
- When the following page opens, enter a new TXT record as shown in the following example:
- Name — _dmarc
- Type — TXT
- Value — Below is a basic configuration that handles the majority of your DMARC needs. Just make sure to adjust the email addresses to the addresses you created above to receive incoming reports.
v=DMARC1; p=none; fo=1; rua=mailto:email@example.com;ruf=mailto:firstname.lastname@example.org;pct=100
Within 4-6 hrs the record will update online.
Tags you can use in your DMARC record
There are 2 required tags, v and p.
The v tag
The v tag identifies the text record as a DMARC record. This must be the first tag and have a value of DMARC1.
The p tag
The p tag identifies the action the domain owner requests the recipient to take for failed messages. Options are:
|p=none||No action should be taken for emails that fail DMARC authentication.|
|p=quarantine||If an email fails DMARC authentication, it should be treated as suspicious. How this is handled is up to the recipient, for example, it may be placed in a SPAM folder.|
|p=reject||If an email fails DMARC authentication, the recipient should reject the email during the SMTP transaction.|
These indicate where reports are sent.
|rua=mailto:email@example.com||This address is where aggregate DMARC reports should be sent to.|
|ruf=mailto:firstname.lastname@example.org||Indicates where forensic DMARC reports should be sent to.|
fo controls when a failure report is created.
|0||Creates a report if all authentication steps fail. (Default)|
|1||Creates a report if any authentication steps fail.|
|d||Creates a DKIM failure report if the message had a signature that failed evaluation.|
|s||Creates an SPF failure report if the message failed SPF authentication.|
A setting of fo=1 is recommended as it provides the most amount of data about any failures.
The following tags use a default value if the tag isn't set:
|adkim||Sets a strict or relaxed DKIM identifier alignment. (The default is relaxed).|
|aspf||Sets a strict or relaxed SPF identifier alignment. (The default is relaxed).|
|rf||Format for failure reports. (The default is Authentication Failure Reporting Format, or 'AFRF').|
|ri||Sets the number of seconds between sending aggregate reports. (The default value is 86,400 seconds, or one day).|
|pct||Sets the percentage of messages DMARC is applied to. Setting this to 100 would apply to every email and is recommended.|
The sp tag is used to set a different reporting policy for a subdomain. For example, you could set the primary domain to use p=reject while setting all subdomains under this domain to use sp=quarantine.
|sp||Sets a reporting policy for the subdomain, different form the primary domain. For example:
v=DMARC1; p=none; sp=quarantine;fo=1; rua=mailto:email@example.com;ruf=mailto:firstname.lastname@example.org;pct=100<