Manage suspicious emails with DMARC policy

DMARC, or Domain-based Message Authentication, Reporting & Conformance is used in conjunction with SPF and DKIM to help protect against email spoofing. Spoofing happens when a scammer edits the From field of an email message to impersonate someone from within your domain. DMARC uses a policy that is given by your email provider. This policy tells the receiving email host how to treat emails sent from your domain based on the criteria that you set in the DMARC DNS record. Enabling a DMARC policy also gives insight into reports on what your domain is sending, and how receiving mail hosts are treating the email messages from your domain.

DMARC enforces SPF and DKIM. DMARC is useful only if you have already set up SPF and DKIM records. Before creating your DMARC policy, you must first create an SPF record, then create a DKIM record, and lastly create a DMARC record policy.

Example DMARC policies

These are some example policies and how they appear in the DNS TXT record.

DMARC Policy action DMARC TXT record
No action taken on messages that fail the DMARC check. Email a daily report to dmarc@yourdomain.com. v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Deliver 10% of the messages that fail the DMARC check in recipients' spam folders. Email a daily report to dmarc@yourdomain.com.

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com

Reject 100% of messages that fail the DMARC check. Email a daily report to two addresses: postmaster@yourdomain.com and dmarc@yourdomain.com.

Failed messages result in an SMTP bounce back message to sender.

v=DMARC1; p=reject; rua=mailto:postmaster@yourdomain.com, mailto:dmarc@yourdomain.com

Add a TXT record to turn on DMARC

To turn on DMARC, update your domain settings with a DNS TXT record. It is advised that when introducing the policy enforcement should be set to none (p=none), so that whilst starting out there will be no adverse effects on email delivery. This helps ensure everything is working properly and you don't accidentally send all your outbound email to the spam folder.

Add a TXT record to turn on DMARC

Follow these steps to add a DMARC TXT record for your domain:

  1. Login to the Client Area and click the domains tab.
  2. Find the domain name you wish to edit from the list and select Manage Domain from the drop down.
  3. On the left overview menu, select DNS Management.
  4. Select txt as the record type and enter the DMARC policy you have chosen, replacing the example domain and values with your own.

DMARC TXT record values explained

This example DMARC record below is a good place to start with although there will be no actions taken other than the sending of the reports.

Host Name Record Type Address

_dmarc

SPF (txt) v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

DMARC TXT record values explained

Tag Name Required Description and values

v

Required Protocol version. Must be DMARC1.

p

Required

Defines how your domain handles suspicious messages:

  • none: Take no action on the message. Log suspicious messages in the daily report.
  • quarantine: Mark the messages as spam and move to recipient's spam folder.
  • reject: Tell receiving servers to reject the message. In this case a bounce back message is usually returned to sender.

pct

Optional

Sets the percent of suspicious messages that the DMARC policy applies to. Suspicious messages are messages that fail the DMARC check.

Must be a whole number between 1 and 100. The default is 100.

rua

Optional

Email address to receive DMARC reports for your domain. Use an email alias or create a new email address to receive these reports.

The email address must include mailto:, for example: mailto:dmarc-reports@yourdomain.com

To send the report to more than one email address, separate emails with a comma and use no more than 2 emails as some services have been reported to ignore more than 2 DMARC notifications.

sp

Optional

The subdomain policy is applied to all subdomains of the domain. It uses the same format as the p value above.

  • none: Take no action on the message. Log suspicious messages in the daily report.
  • quarantine: Mark the messages as spam and hold it for more processing.
  • reject: Instruct receiving servers to reject the message.
adkim Optional

This value allows you to set strict (s) or relaxed (r, which is the default) alignment for the DKIM identifier

  • s: Strict. The sender domain name must exactly match the corresponding d=name in the DKIM mail headers.
  • r: Relaxed (default). Allows partial matches. Any valid subdomain of d=domain in the DKIM mail headers is accepted.

aspf

Optional

This value has the same settings and impact as the adkim value above, but is for SPF instead.

  • s: Strict. The message from: header must exactly match the domain.name in the SMTP MAIL FROM command
  • r: Relaxed (default). Allows partial matches. Any valid subdomain of domain.name is accepted.

 

  • 43 gebruikers vonden dit artikel nuttig
Was dit antwoord nuttig?

Gerelateerde artikelen

Enabling two-factor authentication

Thexyz supports various methods for 2FA, setup an additional layer of security with two-factor...

Setup SMS password reset for Webmail

Email password resets for Webmail require SMS verification. If you do not have a phone that can...

Password Help

Here at Thexyz we take your account security very seriously and wanrt to make it easy for you to...

How To Change Your Webmail Password

You can change your email password by logging into webmail: https://webmail.thexyz.comThen at the...

How to enable DKIM Authentication on your domain

Protect your Email with DKIM (Domain Keys Identified Mail). DKIM adds a secure signature to your...