DMARC registration, blog header images by AI.

Complete Guide to DMARC Records to Protect Your Emails

Updated the:

Introduction: What is DMARC and Why is it Essential?

Email security is a top priority for companies and organizations today, especially given the rise in cyber threats such as phishing and spoofing. DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance,” is a security protocol that helps protect emails sent from your domain against these types of attacks. By verifying the origin of emails and setting compliance rules, DMARC enhances your domain’s credibility and improves email deliverability. In this article, we’ll explore the key elements of DMARC records, their importance, and configuration steps.

What is a DMARC Record?

A DMARC record is a DNS (Domain Name System) entry that relies on SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records. DMARC validates the authenticity of emails by verifying that the message originates from an authorized source. In case of failure, DMARC also allows for setting rules to manage the message, such as quarantining or rejecting it.

Why Set Up a DMARC Record?

Implementing DMARC brings numerous benefits:

  • Protection Against Phishing and Spoofing: DMARC prevents cybercriminals from impersonating your identity to deceive your customers or partners.
  • Improved Domain Reputation: Receiving servers better identify trustworthy emails.
  • Enhanced Email Deliverability: A secure, DMARC-compliant domain is less likely to have emails marked as spam.

How to Set Up a DMARC Record

1. Ensure SPF and DKIM Records are Configured

Before setting up DMARC, make sure SPF and DKIM records are correctly configured, as they are required for DMARC to function. SPF specifies which servers are authorized to send emails on your domain’s behalf, while DKIM adds a digital signature to ensure message integrity.

2. Create Your DMARC Record

A DMARC record is a DNS entry configured in your domain’s DNS zone. It includes several parameters that dictate DMARC policy behavior. Here is an example DMARC record with explanations for each component:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; pct=100; rf=afrf; ri=86400; adkim=s; aspf=r; fo=1 

Let’s break down this record:

  • v=DMARC1: Indicates the DMARC protocol version. This must always be “DMARC1.”
  • p=none: The handling policy for non-compliant emails, which can be set to none (monitoring), quarantine, or reject.
  • rua=mailto@yourdomain.com: The address for receiving aggregated DMARC reports, summarizing activity on your domain.
  • ruf=mailto@yourdomain.com: The address for receiving detailed (forensic) failure reports, providing specific information on each failed email. Note that some providers may limit the frequency of these reports.
  • pct=100: The percentage of emails to apply the DMARC policy to. Use 100 to apply the policy to all emails or adjust the percentage for a gradual approach.

Advanced DMARC Settings

  • rf=afrf: This parameter (report format) sets the format for forensic reports. The most common value is afrf, which specifies an authentication feedback report format.
  • ri=86400: This parameter (report interval) specifies how often to send aggregated reports in seconds. By default, 86400 seconds, or 24 hours, is recommended for a daily report.
  • adkim=s: Defines DKIM alignment mode. Options are s (strict) or r (relaxed). s means that the subdomain must exactly match the DKIM-signed domain, while r allows more flexible alignment.
  • aspf=r: Determines SPF alignment mode. Like adkim, the options are s (strict) and r (relaxed). r allows flexible alignment for subdomains, while s requires strict matching with the primary domain.
  • fo=1: This parameter (failure reporting options) specifies conditions for generating a failure report. Options include:
    • 0: No failure reports generated.
    • 1: A report is generated for all SPF and DKIM failures.
    • d: A report is generated for DKIM failures only.
    • s: A report is generated for SPF failures only.

Combining these options allows you to fine-tune your DMARC record to suit the specific needs of your domain and its subdomains.

3. Select a Policy

The policy dictates how to handle emails that fail DMARC verification:

  • p=none: Monitoring mode. Failed emails are recorded in reports but no action is taken.
  • p=quarantine: Failed emails are marked as spam or placed in quarantine.
  • p=reject: Failed emails are outright rejected by the receiving server.

Generally, start with p=none to observe results, and gradually adjust to p=reject for maximum security

4. Set Policy for Subdomains (sp)

DMARC also allows specifying a policy for subdomains of your primary domain. This can be useful if you want a different policy for emails sent from subdomains (such as support.yourdomain.com) compared to the main domain (yourdomain.com). To set this, add the sp parameter in your DMARC record.

Options for the sp parameter include:

  • sp=none: No action is taken on non-compliant emails from subdomains.
  • sp=quarantine: Non-compliant emails from subdomains are quarantined.
  • sp=reject: Non-compliant emails from subdomains are rejected.

5. Define Reporting Addresses

DMARC allows receiving both activity and failure reports for your emails. Two types of addresses are used:

  • rua: Aggregated reports summarizing DMARC activity.
  • ruf: Forensic reports detailing each failure.

Make sure these addresses are valid and capable of receiving a high volume of reports.

6. Adjust the Percentage of Emails Affected

The pct parameter allows you to control the percentage of emails subject to DMARC. Use pct=100 to apply DMARC to all emails, or lower the percentage if you want to test DMARC gradually.

Testing and Adjusting Your DMARC Record

Once your DMARC record is configured, monitor the reports to identify any issues. Here are some points to consider:

  • Check Failure Rates: High failure rates may indicate errors in SPF/DKIM configuration or suspicious activity.
  • Adjust the Policy: Gradually shift from a p=none policy to p=quarantine or p=reject to enhance security.
  • Analyze Reports: Aggregated reports help you identify sources of non-compliant emails and address any potential issues.

Examples of DMARC Records for Different Scenarios

Observation Only (p=none)

This DMARC record is in observation mode, meaning that failed emails are only recorded in reports without any action taken on them.

v=DMARC1; p=none; rua=mailto:dmarc-reports@votredomaine.com; pct=100; rf=afrf; ri=86400; adkim=r; aspf=r; fo=0

Details:

  • Main Policy (p=none): Failed emails are recorded for observation.
  • Aggregate Reports (rua): Sent to dmarc-reports@yourdomain.com.
  • Percentage (pct=100): The policy applies to all emails.
  • Report Format (rf=afrf): Forensic reports use the afrf format.
  • Report Interval (ri=86400): Reports are sent every 24 hours.
  • DKIM and SPF Alignment (adkim=r, aspf=r): Flexible alignment for DKIM and SPF.
  • Failure Report Options (fo=0): No detailed failure reports are generated.

Quarantine Failed Emails (p=quarantine)

This record quarantines all emails that fail DMARC verification.

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100; rf=afrf; ri=86400; adkim=r; aspf=r; fo=1

Details:

  • Main Policy (p=quarantine): Failed emails are quarantined.
  • Aggregate Reports (rua): Sent to dmarc-reports@yourdomain.com.
  • Percentage (pct=100): The policy applies to all emails.
  • Report Format (rf=afrf): Forensic reports use the afrf format.
  • Report Interval (ri=86400): Reports are sent every 24 hours.
  • DKIM and SPF Alignment (adkim=r, aspf=r): Flexible alignment for DKIM and SPF.
  • Failure Report Options (fo=1): A failure report is generated for all SPF and DKIM failures.

Reject Failed Emails (p=reject)

This record rejects all emails that fail DMARC verification.

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100; rf=afrf; ri=86400; adkim=s; aspf=s; fo=1

Details:

  • Main Policy (p=reject): Failed emails are rejected.
  • Aggregate Reports (rua): Sent to dmarc-reports@yourdomain.com.
  • Percentage (pct=100): The policy applies to all emails.
  • Report Format (rf=afrf): Forensic reports use the afrf format.
  • Report Interval (ri=86400): Reports are sent every 24 hours.
  • DKIM and SPF Alignment (adkim=s, aspf=s): Strict alignment required for DKIM and SPF.
  • Failure Report Options (fo=1): A failure report is generated for all SPF and DKIM failures.

Reject Failed Emails (p=reject) and Quarantine Emails from Subdomains (sp=quarantine)

This configuration rejects failed emails from the main domain and quarantines those from subdomains.

v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100; rf=afrf; ri=86400; adkim=s; aspf=r; fo=1

Details:

  • Main Policy (p=reject): Failed emails from the main domain are rejected.
  • Subdomain Policy (sp=quarantine): Failed emails from subdomains are quarantined.
  • Aggregate Reports (rua): Sent to dmarc-reports@yourdomain.com.
  • Percentage (pct=100): The policy applies to all emails.
  • Report Format (rf=afrf): Forensic reports use the afrf format.
  • Report Interval (ri=86400): Reports are sent every 24 hours.
  • DKIM and SPF Alignment (adkim=s, aspf=r): Strict alignment for DKIM, flexible alignment for SPF.
  • Failure Report Options (fo=1): A failure report is generated for all SPF and DKIM failures.

Complete DMARC Record Example

This record applies quarantine policy to the main domain and reject policy to subdomains, including all advanced parameters for optimal protection.

v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; pct=100; rf=afrf; ri=86400; adkim=s; aspf=r; fo=1

Details:

  • Main Policy (p=quarantine): Failed emails are quarantined.
  • Subdomain Policy (sp=reject): Failed emails from subdomains are rejected.
  • Aggregate Reports (rua): Sent to dmarc-reports@yourdomain.com.
  • Forensic Failure Reports (ruf): Sent to dmarc-failures@yourdomain.com.
  • Percentage (pct=100): The policy applies to all emails.
  • Report Format (rf=afrf): Forensic reports use the afrf format.
  • Report Interval (ri=86400): Reports are sent every 24 hours.
  • DKIM and SPF Alignment (adkim=s, aspf=r): Strict alignment for DKIM, flexible for SPF.
  • Failure Report Options (fo=1): A failure report is generated for all SPF and DKIM failures.

Conclusion

Configuring a DMARC record is an essential step to protect your domain from email attacks. By following these steps, you not only improve the security of your communications but also enhance your domain’s reputation with recipients. Be sure to regularly monitor your DMARC reports and adjust your settings as needed to maintain optimal protection.


Commentaires

Leave a Reply

Your email address will not be published. Required fields are marked *