Manage suspicious emails with DMARC policy

DMARC, or Domain-based Message Authentication, Reporting & Conformance is used in conjunction with SPF and DKIM to help protect against email spoofing and phishing attacks. Spoofing happens when a scammer edits the From field of an email message to impersonate someone from within your domain. DMARC uses a policy that is given by your email provider. This policy tells the receiving email host how to treat emails sent from your domain based on the criteria that you set in the DMARC DNS record. Enabling a DMARC policy also gives insight into reports on what your domain is sending, and how receiving mail hosts are treating the email messages from your domain.

DMARC enforces SPF and DKIM. DMARC is useful only if a domain owner has already set up SPF and DKIM records. Before creating and getting ready to deploy DMARC, you must first create an SPF record, then create a DKIM record, and lastly create a DMARC record policy. The policy allows you to decide how to handle email that fails SPF or DKIM and is not DMARC compliant.

What is Email Spoofing?

Spoofing occurs when a malicious actor forges the "From" field of an email to impersonate someone within your domain, often to trick recipients into believing the email is legitimate. DMARC helps prevent this by applying policies that tell the receiving email server how to treat unauthorized emails that fail the SPF or DKIM checks.

How DMARC Works

DMARC requires a policy to be set within the DMARC DNS record of your domain. This policy defines how the receiving email server should handle emails based on the results of SPF and DKIM authentication. You can set different DMARC policies, such as:

  • DMARC reject: Rejects unauthorized emails outright, preventing them from being delivered to the recipient. This is the strictest level of enforcement.
  • DMARC quarantine: Moves unauthorized emails to the recipient's spam or junk folder instead of blocking email senders entirely. This allows the recipient to review suspicious messages without direct delivery to their inbox.

Setting Up DMARC

To use DMARC, it’s important to first set up SPF and DKIM records. Once those are in place, you can configure the DMARC policy. The DMARC policy allows you to decide how to handle email that fails SPF or DKIM and does not comply with DMARC.

Example DMARC policies

These are some example policies and how they appear in the DNS TXT record.

DMARC Policy action DMARC TXT record
No action taken on messages that fail the DMARC check. Email a daily report to dmarc@yourdomain.com. v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Deliver 10% of the messages that fail the DMARC check in recipients' spam folders. Email a daily report to dmarc@yourdomain.com.

v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarc@yourdomain.com

Reject 100% of messages that fail the DMARC check. Email a daily report to two addresses: postmaster@yourdomain.com and dmarc@yourdomain.com.

Failed messages (email that fails DMARC ) result in an SMTP bounce back message to sender.

v=DMARC1; p=reject; rua=mailto:postmaster@yourdomain.com, mailto:dmarc@yourdomain.com

Add a TXT record to turn on DMARC

To turn on DMARC, update your domain settings with a DNS TXT record. It is advised that when introducing the policy enforcement should be set to none (p=none), so that whilst starting out there will be no adverse effects on email delivery for legitimate emails. This helps ensure everything is working properly and you don't accidentally send all your outbound email to the spam folder.

Add a TXT record to turn on DMARC

Follow these steps to add a DMARC TXT record for your domain:

  1. Login to the Client Area and click the domains tab.
  2. Find the domain name you wish to edit from the list and select Manage Domain from the drop-down.
  3. On the left overview menu, select DNS Management.
  4. Select txt as the record type and enter the DMARC policy you have chosen, replacing the example domain and values with your own.

DMARC TXT record values explained

This example DMARC record below is a good place to start with although there will be no actions taken other than the sending of the reports.

Host Name Record Type Address

_dmarc

SPF (txt) v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

DMARC TXT record values explained

Tag Name Required Description and values

v

Required Protocol version. Must be DMARC1.

p

Required

Defines how your domain handles suspicious messages:

  • none: Take no action on the message. Log suspicious messages in the daily report.
  • quarantine: Mark the messages as spam and move to the recipient's junk folder.
  • reject: Tell receiving servers to reject the message. In this case, a bounce back message is usually returned to the sender.

pct

Optional

Sets the percent of suspicious messages that the DMARC policy applies to. Suspicious messages are messages that fail the DMARC check and are set to quarantine or reject the message based on the policy you set. 

Must be a whole number between 1 and 100. The default is 100.

rua

Optional

Email address to receive DMARC reports for your domain. Use an email alias or create a new email address to receive sending email of these reports. 

The email address must include mailto:, for example: mailto:dmarc-reports@yourdomain.com

To send the report to more than one email address, separate emails with a comma to have more email receivers, and use no more than 2 emails as some services have been reported to ignore more than 2 DMARC notifications.

sp

Optional

The subdomain policy is applied to all subdomains of the domain. It uses the same format as the p value above.

  • none: Take no action on the message. Log suspicious messages in the daily report.
  • quarantine: Mark the messages as spam and hold it for more processing.
  • reject: Instruct receiving servers to reject the message.
adkim Optional

This value allows you to set strict (s) or relaxed (r, which is the default) alignment for the DKIM identifier

  • s: Strict. The sender domain name must exactly match the corresponding d=name in the DKIM mail headers.
  • r: Relaxed (default). Allows partial matches. Any valid subdomain of d=domain in the DKIM mail headers is accepted.

aspf

Optional

This value has the same settings and impact as the DKIM value above, but is for SPF instead.

  • s: Strict. The message from: header must exactly match the domain.name in the SMTP MAIL FROM command
  • r: Relaxed (default). Allows partial matches. Any valid subdomain of domain.name is accepted.

 

  • 244 أعضاء وجدوا هذه المقالة مفيدة
هل كانت المقالة مفيدة ؟

مقالات مشابهة

Enabling two-factor authentication

Setting up 2-factor authentication (or 2FA) provides a second line of defense. If your password...

Setup SMS password reset for Webmail

Email password resets for Webmail require SMS verification or Multi-Factor Authentication. If you...

Password Help

Here at Thexyz we take your account security very seriously and want to make it easy for you to...

How To Change Your Webmail Password

A strong and secure password is an essential component of protecting your online accounts,...

How to enable DKIM Authentication on your domain

Protect your Email with DKIM (Domain Keys Identified Mail). DKIM adds a secure signature to your...