Contents
Introduction
Domain-based Message Authentication, Reporting and Conformance (DMARC) ties SPF and DKIM protocols together with a consistent set of policies. It also links the sender’s domain name with what is listed in the From: header and also has some better reporting back from mail recipients.
It’s an email authentication, policy and reporting protocol that’s actually built around both SPF and DKIM. It has three basic purposes:
- verifies that a sender’s email messages are protected by both SPF and DKIM,
- tells the receiving mail server what to do if neither of those authentication methods passes, and
- it provides a way for the receiving server to report back to the sender about messages that pass and/or fail the DMARC evaluation.
DMARC basically builds on SPF and DKIM to ensure that, when an email is received, the information contained in both records matches the “friendly from” domain (e.g., me@my-domain.com) that the user actually sees and the from address that’s contained in the message’s header.
Description
DMARC uses SPF and DKIM and provides a set of instructions to receiving email servers with what to do if they receive unauthenticated mail.
The DMARC record is a text string with only 2 required tags, v (version) and p (policy). There are other tags which are optional, but there is no consensus yet on which are recommended.
Creating your DMARC record
Preparation
- Check that SPF and DKIM have been set up.
- DMARC does not work without them.
- EITHER check your DNS
- OR use a DMARC wizard
- DMARC does not work without them.
- Set up a new email address specifically to receive DMARC reports
- DMARC needs an email address to send reports to
- keep reports separate from normal email
- DMARC needs an email address to send reports to
Use a DMARC wizard
This is the easiest way to check SPF and DKIM are set up, to create your DMARC policy, and to check your DMARC record afterwards.
There are many sites that offer this tool: MXToolbox, DMARC Analyzer (requires sign up), Dmarcian and more. The Dmarc.org site also provides a list of utilities for generating DMARC records, message validation and more. Most of these sites also have tools to validate your DMARC record once DNS propagation has taken place.
Action
- Log into your hosting or domain registrar account
- with Skylime you log into your cPanel account, and
- find the DNS Zone Editor and select Manage
- select + Add Record and choose Add “TXT” Record option
- with non-cPanel accounts accessing the DNS editor will be slightly different
- with Skylime you log into your cPanel account, and
- Add a new TXT record to your domain’s DNS.
- Name (‘Valid zone name’)
- _dmarc.DOMAIN
- TTL is server delay; usually you can leave this as default value (here it is 14400)
- Type is TXT; if not already correct, change it by clicking the dropdown
- Record (‘Text’) is where you enter the 2 required DMARC tags and any optional ones
- 2 compulsory tags first
- v=DMARC1;
- p=none; (options)
- optional tags follow
- fo=1; (options)
- rua=mailto:name@domain
- 2 compulsory tags first
- Click the Save Record button to complete
- Name (‘Valid zone name’)
Typical example
1 tag in Name — _dmarc.skylime.co.uk
4 tags in Record — [1] v=DMARC1; [2] p=none; [option] fo=1; [option] rua=mailto:reports@skylime.co.uk
What does this mean?
1Version |
2Policy |
Optional Report Options |
Optional Report Destiny |
| v=DMARC1 | p=none | fo=1 | rua=mailto:reports@skylime.co.uk |
| Options | |||
| There is no other version at present | What to do with failed message none quarantine reject |
0: generate reports if both DKIM and SPF fail 1: generate reports if either DKIM or SPF fail d: generate report if DKIM fails s: generate report if SPF fails |
An email address should be set up specifically for reports mailto:test@example.com; |
| Examples | |||
| v=DMARC1 | p=none p=quarantine p=reject |
fo=0 fo=1 fo=d fo=s |
mailto:test@example.com |
