DMARC Configuration

DMARC is a domain-based reporting, and compliance authentication standard. This is implemented to ensure that a legitimate email is properly authenticated based on established DKIM and SPF, which may block any fraudulent activity that comes from domains under the control of the organization.

To configure DMARC for use with DANAConnect you must:

  1. Add the the DNS txt record for the domain to be configured:

_dmarc IN TXT "v=DMARC1; p=none; sp=none; rua=mailto:sudominio@danaconnect-dmarc.com; ruf=mailto:sudominio@danaconnect-dmarc.com; rf=afrf; pct=100; ri=86400"

1.1. To configure in monitoring mode add:

_dmarc IN TXT "v = DMARC1; p = none; rua = mailto:cliente-rep@danaconnect-dmarc.com; ruf = mailto:cliente-for@danaconnect-dmarc.com; pct = 100; adkim = r; sp = none; fo=1; ri=43200"

1.2. To configure in quarantine mode:

_dmarc IN TXT "v= DMARC1; p = quarantine; rua = mailto: cliente-rep@danaconnect-dmarc.com; ruf = mailto: cliente-for@danaconnect-dmarc.com; pct = 100; adkim = r; sp = quarantine; fo = 1; ri = 43200"

2. In addition, you must register the CNAME for the DANAConnect platform:

dana IN CNAME bounce.email-platform.com.

DMARC TXT record values

Tag Name

Required

Description and values

v

Required

Protocol version. Must be DMARC1.

p

Required

Defines how your domain handles suspicious messages:

  • none: Take no action on the message. Log suspicious messages in the daily report.

  • quarantine: Mark the messages as spam and move to recipient's spam folder.

  • reject: Tell receiving servers to reject the message. When this happens, the receiving server should send a bounce to the sending server.

pct

Optional

Sets the percent of suspicious messages that the DMARC policy applies to. Suspicious messages are messages that fail the DMARC check.

Must be a whole number between 1 and 100. The default is 100.

rua

Optional

Email address to receive reports about DMARC activity for your domain. Use your own email address or create a new email address to receive reports.

The email address must include mailto:, for example: mailto:dmarc-reports@yourdomain.com

To send the report to more than one email address, separate emails with a comma.

sp

Optional

Sets the policy for messages from subdomains of your main domain. Use this option if you want to use a different DMARC policy for your subdomains.

  • none: Take no action on the message. Log suspicious messages in the daily report.

  • quarantine: Mark the messages as spam and hold it for more processing.

  • reject: Instruct receiving servers to reject the message.

adkim

Optional

Sets the Alignment mode for DKIM, which defines how exactly message information must match DKIM signatures.

  • s: Strict. The sender domain name must exactly match the corresponding d=name in the DKIM mail headers.

  • r: Relaxed (default). Allows partial matches. Any valid subdomain of d=domain in the DKIM mail headers is accepted.

aspf

Optional

Sets the Alignment mode for SPF (ASPF), which defines how exactly message information must match SPF signatures.

  • s: Strict. The message from: header must exactly match the domain.name in the SMTP MAIL FROM command

  • r: Relaxed (default). Allows partial matches. Any valid subdomain of domain.name is accepted.

Usage examples

Actions to take for failed DMARC check

TXT record contents

Take no action on messages that fail the DMARC check. Email a daily report to dmarc@solarmora.com.

v=DMARC1; p=none; rua=mailto:sudominio@danaconnect-dmarc.com

Put 5% of the messages that fail the DMARC check in recipients' spam folders. Email a daily report to dmarc@solarmora.com.

v=DMARC1; p=quarantine; pct=5; rua=mailto:sudominio@danaconnect-dmarc.com

Reject 100% of messages that fail the DMARC check. Email a daily report to two addresses: postmaster@solarmora.com and dmarc@solarmora.com.

Failed messages cause an SMTP bounce to the sender.

v=DMARC1; p=reject; rua=mailto:sudominio@danaconnect-dmarc.com, mailto:sudominio@danaconnect-dmarc.com

Use the policy (p) and percent (pct) options together to gradually and slowly deploy DMARC.

Use the policy (p) option. Set and change the policy option using the p tag value in the TXT record. Start with a quarantine policy so you can inspect suspicious messages. Then gradually modify the policy based on what you learn from quarantined messages and daily reports.

  1. p=none: Monitor email traffic and look for issues in the daily reports, but let all message through. Watch for spoofed messages and messages not signed with DKIM or SPF.

  2. p=quarantine: When you're familiar with email patterns you see in the daily reports, change the policy to quarantine. Continue to review the daily reports and view the messages that are being set aside (quarantined) as spam.

  3. p=reject: When you're sure all messages from your domain are signed, change the policy reject to start filtering spam messages. Continue to review daily reports to check that you're filtering out spam and sending valid email to recipients.

Use the percent (pct) option. The percent option specifies what percentage of suspicious messages have the DMARC policy applied. Suspicious messages are messages that fail the DMARC check. The default is 100% (all suspicious messages). Set the percent option to fewer messages at first, increasing the percentage every few days as you refine your DMARC policy. For example, set the percent option to 20 to filter 20% of rejected or quarantined messages to start with. The following week, change the value from 20 to 50 to filter 50% of the messages.

Example deployment: Here is an example of how to use the p and pct options to gradually deploy a DMARC policy. Update your DMARC policy over time with these values:

  1. p=none pct=100

  2. p=quarantine pct=1

  3. p=quarantine pct=5

  4. p=quarantine pct=10

  5. p=quarantine pct=25

  6. p=quarantine pct=50

  7. p=quarantine pct=100

  8. p=reject pct=1

  9. p=reject pct=5

  10. p=reject pct=10

  11. p=reject pct=25

  12. p=reject pct=50

  13. p=reject pct=100