Enabling DMARC (Domain-based Message Authentication, Reporting and Conformance)

Covering the basics of DMARC

The most important things to consider when enabling DMARC are 1 – to make sure you got SPF + DKIM right and 2 – wisely define your policy. If you get any of those two wrong, there can be a lot of noise.

 

For the first part, we recommend you to test your SPF and DKIM implementation before moving forward with DMARC. We will help you with the second part.

 

The table below summarizes the options you have when configuring your DMARC policy:    

Tables can't be imported directly. Please insert an image of your table which can be found here.

TagPurposeOptionsDMARC1none

 

quarantine: E-mail that fails DMARC check should be considered suspicious.

reject: E-mail that fails DMARC check should be rejected.

none

 

quarantine: E-mail that fails DMARC check should be considered suspicious.

reject: E-mail that fails DMARC check should be rejected.

rr:

 

s: strict mode – Only an exact match between both of the domains is considered to produce Identifier Alignment.

rr:

 

s: strict mode – Only an exact match between both of the domains is considered to produce Identifier Alignment.

afrfafrf

 

iodef: Incident Object Description Exchange Format, as described in RFC 5070

8640000

 

1: Generate a DMARC failure report if any underlying mechanism produced something other than an aligned "pass" result.

d: Generate a DKIM failure report if the message had a signature that failed evaluation.

s: Generate an SPF failure report if the message failed SPF evaluation.

100

 

 

DMARC implementation best practices

We recommend you to follow the best practices below when implementing DMARC:

  1. Form the DMARC TXT record using one of the DMARC record assistant listed at DMARC Deployment Tools
  2. Start monitoring the impact of DMARC applying a monitoring-only policy (p=none). You can do this even before implementing SPF and DKIM, as it can give an insight of what is going to happen when you implement those mechanisms.
  3. Move to quarantine policy after the testing phase (p=quarantine).
  4. Only request that external mail systems not accept messages that fail DMARC (p=reject) if it makes sense for you and after extensive testing.

 

Form and deploy the DMARC TXT record

  1. Define the DMARC policy you want to apply.
  2. Use one of the record assistant listed at DMARC Deployment Tools to build the DMARC TXT record.
  3. Select the options according to the policy you defined.
  4. Publish the DMARC TXT record in your external DNS zone
    For example, we can use the DMARC TXT record below for contoso.com:

     

    Tables can't be imported directly. Please insert an image of your table which can be found here.

TXT Name: _dmarc.contoso.com Value: "v=DMARC1; p=none; rua=mailto:rua@contoso.com; ruf=mailto:ruf@contoso.com; fo=1"