DMARC is Domain-based Message Authentication Reporting and Conformance
DMARC uses SPF and DKIM to tell receiving email servers what to do (accept, reject, or quarantine) with messages that purport to be from your domain. It also reports to you.
DMARC is defined by a DNS record (TXT) and specifies:
-
An action policy for messages failing both SPF and DKIM. DMARC passes when either SPF or DKIM passes.
- In Microsoft’s implementation of DMARC for incoming mail (which we don’t control), both SPF and DKIM must pass.
-
Allows for partial checking, e.g. 5 percent of mail.
To implement DMARC, you must first set up SPF and DKIM.
In Office 365, DMARC for incoming mail is done for you. But you must set up DMARC for your domain yourself.
SPF – Sender Policy Framework
SPF is a DNS record (TXT) that specifies which IP addresses are allowed to send mail on your domain’s behalf.
You need a single spf record for your domain, which will contain all the IP addresses that are allowed to send mail on your behalf.
Example record:
v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all
Example for Office 365:
v=spf1 include:spf.protection.outlook.com -all
Even if your domain doesn’t send mail, it is still vulnerable to spoofing and should have this SPF record:
v=spf1 -all
DKIM – DomainKeys Identified Mail
DKIM is a DNS record (TXT) that lets a domain associate its name with an email message by affixing a digital signature (using PKI) to it.
A valid signature guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.
DKIM provides for two distinct operations, signing and verifying.
DKIM specification allows signers to choose which header fields they sign, but the From: field must always be signed.
You might need multiple DKIM records for your domain if you have different hosts, domains, or subdomains that you want to allow to send mail for you. Each host needs its own key specified in a separate TXT record, and each host is identified with a unique selector name.
Generate the keys with:
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key
Install the private key on the MTA/Email sending systems.
Publish the public key in the DKIM record with your registrar:
Example DKIM record:
- type: TXT
- host:
selector1-dzsolutions-com._domainkey - Points to address or value:
v=DKIM1; k=rsa; p=<public_key>; n=1024,1453276987,1
DMARC
You want to ease into your DMARC policy to make sure it’s working correctly.
-
First, make a no-action policy (
p=none;) that just collects reports. You’ll see who is sending mail on your behalf, and be able to correct for any senders you left out. -
Second, switch to a low percentage quarantine policy (
p=quarantine; pct=5;). It tells receiving servers to check only 5 percent of the mail, and if DMARC fails, send it to the spam folder. That way, most of the mail will go through no matter what, and your reports will show how well it’s working for the 5 percent. You can make adjustments until it works right. -
Third, ease into rejecting (
p=reject; pct=5;). Check your reports, adjust things, and increment up to 100%
no-action DMARC record:
- Type: TXT
- Host:
- Value:
v=DMARC1; p=none; rua=mailto:admin@your_domain.com; ruf=mailto:admin@your_domain.com; sp=reject; ri:84600;
Where:
vis the version.pis policy for handling pass/fail messages:none | quarantine | reject.ruaspecifies where to send aggregate reports.rufspecifies where to send forensic reports.spis the subdomain policy.
If you have no subdomains for mail, it is best toreject.riis the time period for sending reports; default is 84600 seconds (24 hours).
Check your DMARC record at:
View the reports using https://dmarcian.com/ or https://mxtoolbox.com/domain/; they have validation tools for all DNS records.