Categories

Backup/Restore
4
Billing Support
7
Cloud Backup
5
CloudLinux (cPanel)
10
cPanel - Control Panel
34
Databases
12
DNS - Nameservers
9
Domain Management
12
Email
17
Email - General
10
Exchange Hosting
8
FTP
9
General Network
7
General Support
5
Installing a Control Panel
6
Mail Filters & SPAM
8
Mobile
11
Others
3
PayPal
7
Reseller Hosting Support
48
Security
10
Softaculous
69
SolusVM
18
SSL
9
WHM
19
WordPress
19

  Categories

  Tag Cloud

Password VPS Servers Dedicated Servers

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket
What Is My IP?
Password Generator
Excel to Text Converter

Add a DMARC record Print

  • 28

What is DMARC?

DMARC, which stands for-Domain-based Message Authentication, Reporting & Conformance , is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.

Create the record

Once SPF and DKIM are in place, you configure DMARC by adding policies to your domain's DNS records in the form of TXT records.
The TXT record name should be "_dmarc.your_domain.com." where "your_domain.com" is replaced with your actual domain name.

Here are common tags used in DMARC TXT records:

Tag NameRequiredPurposeSample

v

 required Protocol version v=DMARC1

p

 required Policy for domain p=quarantine

pct

 optional % of messages subjected to filtering pct=20

rua

 optional Reporting URI of aggregate reports rua=mailto:aggrep@example.com

sp

 optional Policy for subdomains of the domain sp=reject

aspf

 optional Alignment mode for SPF aspf=r

See https://dmarc.org//draft-dmarc-base-00-01.html#iana_dmarc_tags for further details.

Only the v (version) and p (policy) tags are required. Three possible policy settings, or message dispositions, are available:

  • none - Take no action. Log affected messages on the daily report only.
  • quarantine - Mark affected messages as spam.
  • reject - Cancel the message at the SMTP layer.

Alignment mode refers to the precision with which sender records are compared to SPF and DKIM signatures, with the two possible values being relaxed or strict. represented by "r" and "s" respectively. In short, relaxed allows partial matches, such as subdomains of a given domain, while strict requires an exact match.

Make sure to include your email address with the optional rua tag to receive the daily reports.

Example records

Here are some example DMARC TXT records (_dmarc.your_domain.com IN TXT) you may modify for your own use. Of course, replace "your_domain.com" and "postmaster@your_domain.com" with your actual domain and email address.

In the following example TXT record, if a message claims to be from your domain.com and fails the DMARC checks, no action is taken. Instead all of these messages appear on the daily aggregate report sent to "postmaster@your_domain.com."

"v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com"

In the next example TXT record, if a message claims to be from your domain.com and fails the DMARC checks, quarantine it 5% of the time. Then email daily aggregate reports to "postmaster@your_domain.com."

"v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com"

In the final example, if a message claims to be from "your_domain.com" and fails the DMARC checks, reject it 100% of the time. Then email daily aggregate reports to "postmaster@your_domain.com" and "dmarc@your_domain.com."

"v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com, mailto:dmarc@your_domain.com"

Deploy slowly

We strongly recommend ramping up DMARC use slowly by employing these policies in this order. First, monitor your traffic and look for anomalies in the reports, such as messages that are not yet being signed or are perhaps being spoofed. Then, when you're comfortable with the results, change the TXT record policy setting from "none" to "quarantine." Once again, review the results, this time in both your spam catch and in the daily DMARC reports. Finally, once you're absolutely sure all of your messages are signed, change the policy setting to "reject" to make full use of DMARC. Revisit reports to ensure your results are acceptable.

Similarly, the optional pct tag can be used to stage and sample your DMARC deployment. Since 100% is the default, passing "pct=20" in your DMARC TXT record results in one-fifth of all messages affected by the policy actually receiving the disposition instead of all of them. This setting is especially useful once you elect to quarantine and reject mail. Start with a lower percent to begin with and increase it every few days.

So a conservative deployment cycle would resemble:

  1. Monitor all.
  2. Quarantine 1%.
  3. Quarantine 5%.
  4. Quarantine 10%.
  5. Quarantine 25%.
  6. Quarantine 50%.
  7. Quarantine all.
  8. Reject 1%.
  9. Reject 5%.
  10. Reject 10%.
  11. Reject 25%.
  12. Reject 50%.
  13. Reject all.

Attempt to remove the percentages as quickly as possible to complete the deployment.

As always, review your daily reports.

Was this answer helpful?

Related Articles

About Webmail About WebMailWhile EntirelyDigital offers its Webmail feature to all users for convenience, we... Spam through Website forms Spammers are now trying to use forms to send email to individuals at companies, or at mailing... How do I connect my iPhone to EntirelyDigital hosted exchange In order to connect your iPhone ActiveSync to receive email from EntirelyDigital's hosted... What are the maximum number of recipients for email messages The maximum number of recipients per message (either in the TO: or CC: or BCC:) is 100 Any more... Error - Out of Office Assistant Error message when you try to open the Out of Office Assistant in Outlook 2007: "Your Out of...
« Back

  Tag Cloud

Password VPS Servers Dedicated Servers

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket
What Is My IP?
Password Generator
Excel to Text Converter