DMARC
Without DMARC, an attacker can easily usurp the identity of your domain. An email may appear to come from you when in fact it does not.
What is DMARC?
DMARC stands for "Domain-based Message Authentication, Reporting and Conformance". It is a protocol developed from the existing SPF and DKIM protocols.
DMARC does several things:
- It takes into account the results of SPF and DKIM.
- Not only must SPF or DKIM pass, but the domain used by one or the other must align with the domain found in the From address for DMARC to pass.
- It returns SPF, DKIM and DMARC results to the domain found in the From address (i.e. the sender).
- It tells recipients how to handle emails that fail DMARC validation by specifying a policy in DNS.
In your administration interface
DMARC compliance indicator :
On the home page of your admin console, you will find a real-time indicator of the domain's DNS information.
Here are a number of checklists:
Your DMARC strategy applies rejection or quarantine
Your DMARC strategy is none
No DMARC TXT record has been entered
Create the DMARC TXT record for your domain
Although there are other syntax options not mentioned here, these are the most commonly used. Create the DMARC TXT record for your domain in the following format:
Console
_dmarc.domain TTL IN TXT "v=DMARC1; p=policy; pct=100"
Where:
- domain is the domain you wish to protect. By default, the record protects mail from the domain and all its sub-domains. For example, if you specify _dmarc.yourdomain.com, DMARC will protect mail from this domain and all its subdomains, for example subdomain.yourdomain.com or encouresousdomain.yourdomain.com.
- The TTL value must always be equivalent to one hour. The unit used for TTL, whether hours (1 hour), minutes (60 minutes) or seconds (3600 seconds), varies depending on the registrar of your domain.
- pct=100 indicates that this rule should be used for 100% of emails.
- policy specifies the policy you want the receiving server to follow if a message is rejected by DMARC. You can set the policy to none, quarantine or reject.
Examples:
Here is an example of what a DMARC record in your DNS TXT Records field might look like:
Name |
_dmarc.votredomaine.com |
Value |
v=DMARC1; p=quarantine rua=mailto: rapport@votredomaine.com |
TTL |
1800 |
- Strategy implemented on none (So none)
- Strategy implemented on quarantine (put mail in quarantine)
- Strategy implemented on reject (Reject mail)
_dmarc.yourdomain.com 3600 IN TXT "v=DMARC1; p=none"
·
_dmarc.yourdomain.com 3600 IN TXT "v=DMARC1; p=quarantine"
·
_dmarc.yourdomain.com 3600 IN TXT "v=DMARC1; p=reject"
Once you have set up your registration, you need to update the registration with your domain registrar.