DMARC
DMARC (Domain-based Message Authentication, Reporting and Conformance) aims to improve email security. DMARC itself does not offer a protection mechanism, but the option to define a policy that specifies what should happen to emails that neither pass SPF nor DKIM checks.
It is defined as a DNS entry of type TXT. The entry must have the value "_dmarc". To query the entry for the domain google.com, you can therefore use the following dig command:
dig txt _dmarc.gmail.com
DMARC Policies
A DMARC policy is defined in a DNS record and can specify actions like monitoring, quarantining, or rejecting emails that fail authentication checks.
Here are three common DMARC policies:
Monitoring Only (p=none)
This policy is useful for gathering data on email authentication without impacting email delivery. It allows all emails to pass while providing reports on SPF and DKIM compliance. A aggregated report will be sent to the specified email address.
v=DMARC1; p=none; rua=mailto:report@yourdomain.com
Marking as Spam (p=quarantine)
With this policy, emails that fail SPF or DKIM checks are moved to the recipient's spam or junk folder.
v=DMARC1; p=quarantine; pct=100;
Restricting totally (p=reject)
This strictest policy rejects emails that fail authentication checks, preventing them from reaching the recipient. Report will be sent to the specified email addresses.
v=DMARC1; p=reject; pct=100; rua=mailto:report@yourdomain.com; ruf=mailto:forensic@yourdomain.com
You can find additional details on DMARC policies and configuration at DMARC.org.
Aggregated Reports
Aggregated reports provide detailed insights into the results of SPF and DKIM checks for emails sent from your domain. These reports are generated by receiving email servers performing DMARC checks and sent to the addresses specified in your DMARC record. The reports are generated in XML format and provide the ability to monitor the email authentication status of your domain. However, only relatively few large mail providers send such reports.
For a comprehensive guide on understanding and analyzing DMARC reports, visit The Difference in DMARC Reports: RUA and RUF.
Tools for Setting Up and Testing DMARC
Setting up DMARC can be challenging, but several tools are available to help you configure and test your DMARC records:
- LearnDMARC.com: Provides a user-friendly interface to test your DMARC records.
- MXToolbox DMARC Lookup: Another tool to check your DMARC setup.
Please note that we are not affiliated with the providers of these tools.