What is DMARC?
DMARC (Domain-based Message Authentication Reporting and Conformance) works on the basis of the information contained in SPF and DKIM records. However, DMARC, unlike these, can specify to a server whether it should or should not accept a message.
An example of a DMARC record is shown below with an explanation of its various elements:
v=DMARC1;p=reject;rua=mailto:dmarc-reports@yourdomain.com;ruf=mailto:dmarc-forensic@yourdomain.com
Individual elements:
"v=DMARC1" is the identifier that the receiving server is looking for to run the DMARC test; it specifies the DMARC protocol version.
"p=..." tells the server what to do with emails that fail the DMARC test. There are three policies: none (no restriction), quarantine (place in spam) and reject (reject).
"rua=mailto:..." indicates to the server where to send aggregate DMARC failure reports.
"ruf=mailto:..." refers to detailed reports related to DMARC failures. The email address must be from the domain for which the DMARC record is published.
This example contains only a few elements (so-called tags), the most recommended ones, but it can be more complex depending on your needs. You can additionally also include the parameter "rf=...", which specifies the format of the failure report, or "pct=...", which conveys what percentage of messages that do not pass DMARC should be rejected.
You can find more tags and descriptions of their use here: https://mxtoolbox.com/dmarc/details/what-is-a-dmarc-record
According to the changes that will be introduced by Google and Yahoo from February 2024, every broadcast domain should have a DMARC with at least a p=none policy.
Such a record might look like the following:
Name: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=none
How does DMARC verification work?
Please note that in order for DMARC to work properly you must first configure the SPF and DKIM entries. Instructions can be found below:
The domain owner sets the rules on how to deal with messages that do not meet SPF and DKIM requirements. DMARC also allows reports to be received on the actions taken by mail servers receiving messages. These rules become part of the domain's DNS records.
When a mail server receives a message, it verifies the DNS records of the respective sender domain to check the DMARC policy and evaluates the message according to three guidelines:
whether the DKIM is valid
whether the SPF contains the IP of the sender server
whether the domains in the headers (from and return_path) are the same as the domain in the sender's address (in the "from" field)
After verification, based on the DMARC policy set by the sender, the server 'decides' what to do with the message and sends a report to the sender.
Why configure DMARC?
SPF and DKIM focus on message authentication in terms of source and content integrity, and DMARC further aggregates these mechanisms to enable the establishment of message handling policies and reporting on actions taken by mail servers. Configuring SPF and DKIM according to DMARC can increase the effectiveness of security against forgery and phishing attacks.
Do you need additional help?
If you have any additional questions about working with the sender domain and DKIM in edrone, please contact us at hello@edrone.me.