Email Authentication - DMARC

Modified on Tue, 8 Oct, 2024 at 3:47 AM


What is DMARC?


DMARC, or Domain-based Message Authentication Reporting and Conformance, is a technical tool that verifies emails by combining SPF and DKIM methods. It's free to use and helps prevent email fraud like phishing. Introduced in 2012, it enables domain owners to specify how unauthorized use of their email domains should be managed through a policy in the DMARC record (p=).



What is DMARC Record?


A DMARC record, housed in a TXT-type DNS entry named _dmarc, outlines policies and preferences for email servers. It's composed of tags assigned with values separated by semicolons.


Here are the key tags used in setting up a DMARC record:


  • v (DMARC Version):

    • Default: DMARC1
    • Translation: Denotes the DMARC protocol version. Must always be set as "DMARC1". If missing or incorrect, the entire DMARC record is ignored.
  • p (Policy):

    • Default: none
    • Translation: Specifies the action for emails failing DMARC checks.
      • none: Collects feedback without impacting existing flows.
      • quarantine: Treats suspicious emails, often directed to the spam folder.
      • reject: Rejects all failing emails outright.
  • adkim (DKIM Alignment Mode):

    • Default: r
    • Translation: Specifies the alignment mode for DKIM signatures.
      • "r" (Relaxed Mode): Allows DKIM domains sharing a common Organizational Domain to pass.
      • "s" (Strict Mode): Requires an exact match between DKIM and email header-From domains.
  • aspf (SPF Alignment Mode):

    • Default: r
    • Translation: Similar to adkim but for SPF authentication.
      • "r" (Relaxed Mode): Allows SPF domains sharing a common Organizational Domain to pass.
      • "s" (Strict Mode): Requires an exact match between SPF and email header-From domains.
  • sp (Sub-domain Policy):

    • Default: p= value
    • Translation: Allows explicit publishing of a policy for sub-domains under this DMARC record.
  • fo (Forensic Reporting Options):

    • Default: 0
    • Translation: Determines conditions for generating forensic reports.
      • "0": Generates reports if all underlying authentication mechanisms fail to produce a DMARC pass result.
      • "1": Generates reports if any mechanisms fail.
      • "d": Generates reports if DKIM signature fails.
      • "s": Generates reports if SPF fails.
  • ruf (URI for Forensic Reports):

    • Default: none
    • Translation: Specifies where to send Forensic reports (URIs in the form of "mailto@example.org").
  • rua (URI for XML Feedback):

    • Default: none
    • Translation: Specifies where to send XML feedback reports (URIs in the form of "[email protected]").
  • rf (Reporting Format for Forensic Reports):

    • Default: afrf
    • Translation: Determines the reporting format for individual Forensic reports.
  • pct (Percentage):

    • Default: 100
    • Translation: Specifies the percentage of email failures for which the policy should be applied. The policy must be "quarantine" or "reject" for the percentage tag to be applied.
  • ri (Reporting Interval):

    • Default: 86400
    • Translation: Sets the frequency of receiving aggregate XML reports.

Each tag serves a specific role in defining DMARC policies and mechanisms for authentication and feedback, ensuring email security and proper handling of failed checks.


For assistance in creating a DMARC record, utilizing a DMARC generator tool is recommended.



How does DMARC work?



Authentication:

  • SPF/DKIM Check:
    • Receiving servers verify SPF or DKIM authentication methods.
  • Domain Alignment:
    • Validates if the SPF domain (Return-Path) or DKIM domain (d=) aligns with the "From" domain in the email header.
  • DMARC Policy:
    • Extracts and enforces the DMARC policy from the DNS record of the "From" domain.


Alignment Modes:

  • Relaxed (r) Mode:
    • Allows subdomains in SPF/DKIM checks, comparing them to the "From" domain.
  • Strict (s) Mode:
    • Requires exact matching of SPF/DKIM domains with the "From" domain.

Reporting:

  • Aggregate Reports:
    • Include pass/fail results in periodic aggregate reports sent via specified email addresses using the rua tag.
  • Forensic Reports:
    • Detailed failure reports sent to specified addresses (ruf), but many providers avoid sending these due to sensitive information concerns.
  • Reporting Interval (ri):
    • Determines the frequency of sending aggregate XML reports.


Conformance (Policy):

  • DMARC Policy (p):
    • Defines how servers handle failed DMARC checks.
  • Percentage (pct):
    • Specifies the percentage of message traffic subject to DMARC verification.


Each configuration serves to authenticate emails and define policies for handling failures while allowing flexibility in reporting and enforcement levels based on the sender's requirements and verification stages.




Resolving DMARC Email Failures for Users on LC Email Shared Domains

When you switched to the LC email system or did not configure your own mailgun / SMTP, all your email will be sent through the LC shared domain.


The error message says:


"The domain in your from address ([email protected]) has a p=reject DMARC policy. Without a dedicated sending domain configured, most inbox providers will reject your messages, resulting in elevated bounces. To avoid elevated bounces, use company emails."


Your actual DMARC record is:
v=DMARC1; p=reject


To fix the issue, temporarily change your DMARC record with your DNS to have a p=none policy.


The DMARC error message above has a p=reject or p=quarantine. This will prevent emails that fail DMARC from being sent to the Inbox folder. To make sure messages are delivered even if DMARC fails, you will want to change the policy in your DMARC to p=none with your DNS provider. Moving to a more relaxed policy is not recommended, so this change should be temporary.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article