What is DMARC and what is it for?
A DMARC record (Domain-based Message Authentication Reporting, & Conformance) is a text entry within the DNS that tells the world your email domain’s policy when it comes to checking to see if your SPF and/or DKIM has passed or failed.Following is an example of a DMARC record (_dmarc.your-domain.com):
v=DMARC1; p=none; sp=reject; fo=1; rua=mailto:[email protected]
"v=" indicates this is a DMARC record"p=" indicates the DMARC policy (none, quarantine or reject)
"sp=" This tag is used to indicate a requested policy for all subdomains where mail is failing the DMARC authentication and alignment checks. It is most effective when a domain owner wants to specify different policies for the primary domain and all subdomains. The policy options are the same as the "p" tag listed above. If this tag is not used for subdomains, the policy set using the p tag will apply to the primary domain and all of its subdomains.
"rua=" indicates where data should be sent
RUA is reporting that provides an aggregate view of all of a domain’s traffic. The other option is RUF reports that are redacted forensic copies of the individual emails that are not 100% compliant with DMARC. While RUA reports show the traffic of the email, RUF reports contain snippets from the actual emails themselves. While RUA reporting is all that is needed for DMARC deployment, more advanced users may also add the RUF tag, which will send more sensitive information.
"fo=" This is a tag that lets mailbox providers know you want message samples of emails that failed either SPF and/or DKIM.
There are four value options available:
0: Generate a DMARC failure report if all underlying authentication mechanisms (SPF and DKIM) fail to produce an aligned "pass" result. (default)
1: Generate a DMARC failure report if any underlying authentication mechanism (SPF or DKIM) produced something other than an aligned "pass" result. (recommended)
d: Generate a DKIM failure report if the message had a signature that failed evaluation, regardless of its alignment.
s: Generate an SPF failure report if the message failed SPF evaluation, regardless of its alignment.
"adkim=" Indicates strict (s) or relaxed (r) DKIM identifier alignment. The default is relaxed (r).
"aspf=" Indicates strict (s) or relaxed (r) SPF identifier alignment. The default is relaxed (r).
"pct=" The percentage of messages to which the DMARC policy is to be applied. This tag provides a way to gradually implement and test the impact of the policy.
Values are integers ranging from 1 - 100. The default value is 100.
06 May 2024, 15:52:24