DMARC is a domain-based reporting, and compliance authentication standard. This is implemented to ensure that a legitimate email is properly authenticated based on established DKIM and SPF, which may block any fraudulent activity that comes from domains under the control of the organization.
To configure DMARC for use with DANAConnect you must:
Add the the DNS txt record for the domain to be configured:
_dmarc IN TXT "v=DMARC1; p=none; sp=none; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; rf=afrf; pct=100; ri=86400"
1.1. To configure in monitoring mode add:
_dmarc IN TXT "v = DMARC1; p = none; rua = mailto:email@example.com; ruf = mailto:firstname.lastname@example.org; pct = 100; adkim = r; sp = none; fo=1; ri=43200"
1.2. To configure in quarantine mode:
_dmarc IN TXT "v= DMARC1; p = quarantine; rua = mailto: email@example.com; ruf = mailto: firstname.lastname@example.org; pct = 100; adkim = r; sp = quarantine; fo = 1; ri = 43200"
2. In addition, you must register the CNAME for the DANAConnect platform:
dana IN CNAME bounce.email-platform.com.
Description and values
Protocol version. Must be DMARC1.
Defines how your domain handles suspicious messages:
Sets the percent of suspicious messages that the DMARC policy applies to. Suspicious messages are messages that fail the DMARC check.
Must be a whole number between 1 and 100. The default is 100.
Email address to receive reports about DMARC activity for your domain. Use your own email address or create a new email address to receive reports.
The email address must include mailto:, for example: mailto:email@example.com
To send the report to more than one email address, separate emails with a comma.
Sets the policy for messages from subdomains of your main domain. Use this option if you want to use a different DMARC policy for your subdomains.
Sets the Alignment mode for DKIM, which defines how exactly message information must match DKIM signatures.
Sets the Alignment mode for SPF (ASPF), which defines how exactly message information must match SPF signatures.
Actions to take for failed DMARC check
TXT record contents
Take no action on messages that fail the DMARC check. Email a daily report to firstname.lastname@example.org.
Put 5% of the messages that fail the DMARC check in recipients' spam folders. Email a daily report to email@example.com.
Reject 100% of messages that fail the DMARC check. Email a daily report to two addresses: firstname.lastname@example.org and email@example.com.
Failed messages cause an SMTP bounce to the sender.
Use the policy (p) and percent (pct) options together to gradually and slowly deploy DMARC.
Use the policy (p) option. Set and change the policy option using the p tag value in the TXT record. Start with a quarantine policy so you can inspect suspicious messages. Then gradually modify the policy based on what you learn from quarantined messages and daily reports.
p=none: Monitor email traffic and look for issues in the daily reports, but let all message through. Watch for spoofed messages and messages not signed with DKIM or SPF.
p=quarantine: When you're familiar with email patterns you see in the daily reports, change the policy to quarantine. Continue to review the daily reports and view the messages that are being set aside (quarantined) as spam.
p=reject: When you're sure all messages from your domain are signed, change the policy reject to start filtering spam messages. Continue to review daily reports to check that you're filtering out spam and sending valid email to recipients.
Use the percent (pct) option. The percent option specifies what percentage of suspicious messages have the DMARC policy applied. Suspicious messages are messages that fail the DMARC check. The default is 100% (all suspicious messages). Set the percent option to fewer messages at first, increasing the percentage every few days as you refine your DMARC policy. For example, set the percent option to 20 to filter 20% of rejected or quarantined messages to start with. The following week, change the value from 20 to 50 to filter 50% of the messages.
Example deployment: Here is an example of how to use the p and pct options to gradually deploy a DMARC policy. Update your DMARC policy over time with these values: