Enhance security for outgoing email (DMARC)
Add a DMARC record
Create the record
Once SPF and DKIM are in place, you configure DMARC by adding policies to your domain's DNS records in the form of TXT records (just like with SPF or ADSP).
Follow the instructions to create a TXT record with the appropriate name and value, using the specific instructions for popular domain hosts. The TXT record name should be "_dmarc.your_domain.com." where "your_domain.com" is replaced with your actual domain name. You can also review the limitations with some domain hosts.
Here are common tags used in DMARC TXT records:
|required||Policy for domain||p=quarantine|
|optional||% of messages subjected to filtering||pct=20|
|optional||Reporting URI of aggregate reports||rua=mailto:firstname.lastname@example.org|
|optional||Policy for subdomains of the domain||sp=reject|
|optional||Alignment mode for SPF||aspf=r|
See the DMARC Tag Registry for other available tags.
Only the v (version) and p (policy) tags are required. Three possible policy settings, or message dispositions, are available:
- none - Take no action. Log affected messages on the daily report only.
- quarantine - Mark affected messages as spam.
- reject - Cancel the message at the SMTP layer.
Alignment mode refers to the precision with which sender records are compared to SPF and DKIM signatures, with the two possible values being relaxed or strict. represented by "r" and "s" respectively. In short, relaxed allows partial matches, such as subdomains of a given domain, while strict requires an exact match.
Make sure to include your email address with the optional rua tag to receive the daily reports.
Recommendations for ramping up DMARC use
We strongly recommend ramping up DMARC use slowly by employing these policies in this order. First, monitor your traffic and look for anomalies in the reports, such as messages that are not yet being signed or are perhaps being spoofed. Then, when you're comfortable with the results, change the TXT record policy setting from "none" to "quarantine." Once again, review the results, this time in both your spam catch and in the daily DMARC reports. Finally, once you're absolutely sure all of your messages are signed, change the policy setting to "reject" to make full use of DMARC. Revisit reports to ensure your results are acceptable.
Similarly, the optional pct tag can be used to stage and sample your DMARC deployment. Since 100% is the default, passing "pct=20" in your DMARC TXT record results in one-fifth of all messages affected by the policy actually receiving the disposition instead of all of them. This setting is especially useful once you elect to quarantine and reject mail. Start with a lower percent and increase it every few days.
A conservative deployment cycle would resemble:
- Monitor all.
- Quarantine 1%.
- Quarantine 5%.
- Quarantine 10%.
- Quarantine 25%.
- Quarantine 50%.
- Quarantine all.
- Reject 1%.
- Reject 5%.
- Reject 10%.
- Reject 25%.
- Reject 50%.
- Reject all.
Attempt to remove the percentages as quickly as possible to complete the deployment.
As always, review your daily reports.
Here are some example DMARC TXT records (_dmarc.your_domain.com IN TXT) you can modify for your own use. Of course, replace "your_domain.com" and "postmaster@your_domain.com" with your actual domain and email address.
No action taken
In this TXT record, if a message claims to be from your domain.com and fails the DMARC checks, no action is taken. Instead, all of these messages appear on the daily aggregate report sent to "postmaster@your_domain.com."
"v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com"
In this TXT record, if a message claims to be from your domain.com and fails the DMARC checks, quarantine it 5% of the time. Then email daily aggregate reports to "postmaster@your_domain.com."
"v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com"
In this TXT record, if a message claims to be from "your_domain.com" and fails the DMARC checks, reject it 100% of the time. Then email daily aggregate reports to "postmaster@your_domain.com" and "dmarc@your_domain.com."
"v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com, mailto:dmarc@your_domain.com"
The daily reports come in an XML format. Read them to better understand your email flow.The reports help you ensure your outbound email sources are authenticating properly. Ensure the various IPs sending mail claiming to come from your domain are indeed legitimate, configure them properly with DKIM or add them to their SPF range. The reports also helps you take fast action when you have a block policy in place if a new email source comes online or an existing email source's configuration breaks.Example report
Here is an excerpt of a report showing results for messages sent from a couple of IP addresses, one sent directly and the other forwarded. Both messages passed:
<record> <row> <source_ip>22.214.171.124</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> </policy_evaluated> </row> <identities> <header_from>stefanomail.com</header_from> </identities> <auth_results> <dkim> <domain>stefanomail.com</domain> <result>pass</result> <human_result></human_result> </dkim> <spf> <domain>stefanomail.com</domain> <result>pass</result> </spf> </auth_results> </record> <record> <row> <source_ip>126.96.36.199</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <reason> <type>forwarded</type> <comment></comment> </reason> </policy_evaluated> </row> <identities> <header_from>stefanomail.com</header_from> </identities> <auth_results> <dkim> <domain>stefanomail.com</domain> <result>pass</result> <human_result></human_result> </dkim> <spf> <domain>stefanomail.com</domain> <result>pass</result> </spf> </auth_results> </record>