DNS /

DMARC

Recommended Reading

This guide only provides a quick simplified overview of DMARC and a howto for configuring your DNS resource records. To better understand the subject, you should check out the official DMARC website. DNS for Rocket Scientists is also helpful.

Why DMARC

To prevent phishing emails and spam, we use SPF and DKIM. However, sometimes real messages may not authenticate properly, and other times fake messages may get accepted. Senders need some way to get feedback on how many emails are being sent and marked as fake. This helps with troubleshooting, improving delivery rates, and detecting fraud.

The Domain-based Message Authentication, Reporting and Conformance (DMARC) provides a way for mail senders and receivers to share this information.

DMARC helps:

  1. reduce false positives
  2. report on how much mail has authenticated
  3. tell the receiver the sender's policy
  4. reduce phishing

Inside a DMARC record, you tell the mail server:

  1. if you are using DKIM, SPF, or both.
  2. how to handle mail that doesn't validate.
  3. if you want a feedback report, and how to report.

Note that DMARC uses DKIM and SPF; it does not replace either.

To use DMARC, you just add a TXT record in your DNS zone:

How it works

TagIndicatesExampleMeaning
vDMARC versionv=DMARC1First DMARC version; DMARC must be all uppercase; required
pctPercent of mail to filterpct=20Filter 20% of mails; increase slowly over time to detect configurations mistakes gradually
rufReporting URI for forensic reportsruf=postmaster [snail] example [period] comReport to postmaster@example.com
Warning: make sure the address is inside the current zone or else you need an extra DMARC record
ruaReporting URI of aggregate reportsrua=postmaster [snail] example [period] comReport to postmaster@example.com
Warning: make sure the address is inside the current zone or else you need an extra DMARC record
pPolicy for domainp=<value>Required; applies to domain (and subdomains if sp= not specified)
  p=noneNo advice given
  p=quarantineIf checks fail, mail is suspicious
  p=rejectIf checks fail, reject mail
spPolicy for subdomainssp=<value>Same as above, but for subdomains only
adkimStrictness of DKIM headersadkim=<value>(Optional; default adkim=r) Checks if d=name matches
  adkim=rRelaxed; subdomains of d=name are accepted
  adkim=sStrict; subdomains of d=name not accepted
aspfStrictness of From headersaspf=<value>(Optional; default aspf=r) Checks MAIL FROM (SMTP) and From: header in message
  aspf=rRelaxed; subdomains of d=name are accepted
  aspf=sStrict; subdomains of d=name not accepted
foWhen to Reportfo=<value>(Optional; default fo=0)
  fo=0Send only if all requested checks fail
  fo=1Send if any requested checks fail
  fo=dSend if DKIM fails
  fo=sSend if SPF fails

Example Records

TXT records are used to store DMARC information to avoid having to upgrade DNS software to support special resource record types.

Permit and Report Everything

_dmarc     IN    TXT "v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"

Between the two quotation marks "", we put in our DMARC information, which is made up of key=value pairs separated by semicolons ;.

PairMeaning
v=DMARC1First DMARC version
p=noneNo advice is given
pct=0Filter 0% of mails
fo=1Report all errors from DKIM and SPF
rua=postmaster [snail] example [period] comSend user aggregate reports to postmaster@example.com
ruf=postmaster [snail] example [period] comSend forensic reports to postmaster@example.com

This record will provide you with reports for both DKIM/SPF, but will not enforce any filtering whatsoever. This makes this entry very useful for testing out if a new mail server is configured properly. However, this loose configuration may allow more spammers to spoof your domain because bad email is not rejected.

Reject and Quarantine All Failed Mail

_dmarc     IN    TXT "v=DMARC1;p=reject;sp=quarantine;pct=100;fo=1;rua=mailto:postmaster@example.com;ruf=mailto:postmaster@example.com"
PairMeaning
v=DMARC1First DMARC version
p=rejectReject failed mail from example.com
sp=quarantineQuarantine failed mail from <subdomain>.example.com
pct=100Filter 100% of mails
fo=1Report all errors from DKIM and SPF
rua=postmaster [snail] example [period] comSend user aggregate reports to postmaster@example.com
ruf=postmaster [snail] example [period] comSend forensic reports to postmaster@example.com

This rejects and quarantines all mail where DKIM and SPF are not perfectly configured. This is very good at stopping spam and phishing pretending to come from your domain.

Warning: you may lose a lot of real mail if there is a misconfiguration. May cause issues when mail is forwarded by mailing lists.