Introduction of DMARC

What is DMARC

DMARC is an extension of SPF and DKIM security, also acting on a DNS entry but not only based on it. The basic principle of DMARC is to inform domain administrators that someone is trying to impersonate their domain and send fake emails from it.

The first thing we need to know about DMARC is that it requires SPF and DKIM input. Without both of these extensions DMARC can cause a lot of confusion in our mail and even prevent it from being sent to servers that support it. Sample DMARC entry:

You can immediately notice that DMARC entry, similarly to SPF, is always in one place ( _dmarc.domain.pl txt record), it does not require knowledge of the selector as it is in the case of DKIM. The rest look similar to SPF but there are some exceptions:

• v – used DMARC version (required)
• p – policy what to do with messages (required)
• pct – percentage of messages (e.g. 20) to be given to the policy (default 100, not required)
• rua – e-mail address to which abuse reports should be sent (not required)
• sp – policy for sub domains e.g. zlodziej.roan24.pl (not required)
• aspf – policy on DKIM and SPF – see below (not required)

P and SP – the tags given take three options

• none – do not take any special action on the basis of DMARC just collect information – good as we are just introducing DMARC, it can protect us from false positives where for example we forgot to add some SPF server or we sign messages with DKIM, but we do not have DNS entry, very good option to test your settings.
• quarantine – that is, if the message does not pass the DMARC test then it should be delivered but marked as spam.
• reject – this message is to be rejected if it fails the DMARC test.

Aspf – An important element that will soon be set to s in our post – that is strict where the message must pass the SPF and DKIM test perfectly, in case. While the second option is the default r – that is relaxed, the message may pass the SPF or DKIM test only in part, for example a valid DKIM signature but an invalid domain.

Gathering all the information I recommend to start by using the entry as given for our domain only change the email address to yours and test. If the tests are successful slowly change.

Sample reports

That is, the reports we got from hotmail.com, for example:

[codeblocks name='hotmail']

Where you can immediately see that hotmail had a temporary problem connecting to one of our DNS servers because the IP address was perfectly valid, and next to DKIM and SPF we can see that this is just a temporary error. Another important piece of information is the time range given as a unix time stamp. Which helps later to determine the time when the message was sent if it was sent from our server.

163.com, on the other hand, sent us:

[codeblocks name='163']

After which it is clear that someone tried to impersonate our domain address, but as you can see the message failed both the DKIM and SPF tests.

Summary

DMARC is the cherry on the cake with DKIM and SPF because it helps to clearly determine what to do with what message and who to inform about possible attempts to impersonate our domain.

For more information, you can reach out to the project’s main website : . Or ask in the comments.