About
Domain-based Message Authentication, Reporting and Conformance (DMARC) is a text DNS Record that indicates to the receiving server what actions should be taken if the emails do not pass the email authentication mechanisms:
- DomainKeys Identified Mail (DKIM). (preferred by Gmail): Valid signature from the domain of the From address.
- and Sender Policy Framework (SPF): Valid sender
It wards off email spoofing
DKIM and SPF should be set before setting a DNS DMARC record.
DMARC has two conditions for an email, but either of them is sufficient to pass the DMARC check:
When does a message pass DMARC ?
To pass DMARC, a message must pass at least one of these checks:
A message fails the DMARC check if the message fails both:
- SPF (or SPF alignment)
- DKIM (or DKIM alignment)
DMARC DNS record
The DMARC is a TXT record with the relative name _dmarc that contains a series of options called record tags.
The only mandatory tag is v=DMARC1.
For instance, for the most relax policy (ie none policy), you could enter the following DNS record
_dmarc.example.com IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]"
where the options are called record tags and
- p defines the policy
- rua is the email of the report. ie every mail server that gets mail from your domain sends daily reports to [email protected].
- More record-tags
Policy
The policy defines the action taken on messages by the receiving server when they don’t pass the DMARC checks.
| Policy | Description | Report |
|---|---|---|
| none | no action is taken | Yes |
| quarantine | Send messages to the recipient’s spam or quarantine folder | Yes |
| reject | send a bounce | No |
Tools
Report
The Dmarc report is sent via the email configured in the rua property of the DMARC record.
You can then monitor the effectiveness of your email operation/
Example: