DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.
Spammers can sometimes forge the "From" address on mail messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, email providers such as AOL, Gmail, Hotmail, and Yahoo! participate in DMARC.org.
While understanding DMARC, how it works and how it is to be implemented is often left to a technical resource, it can be approached at a various levels of understanding (depending on how in-depth the domain owner wishes to implement their DMARC policy).
You can leverage your DMARC policy to decide how email providers should treat unauthenticated emails coming from your domain. Domain owners can publish a policy telling participating email providers how to handle unauthenticated messages sent from their domain. By defining a policy, you can help combat phishing to protect users and your reputation.
Please note, you must send all mail through your own domain for DMARC to be effective. Mail sent on your behalf through third-party providers will appear unauthenticated and therefore may be rejected, depending upon your policy disposition. To authenticate mail sent from third-party providers, either share your DKIM key with them for inclusion on messages or have them relay mail through your network.
If VCG is managing your DNS records, and you wish to implement a DMARC policy, contact VCG Client Support to work with you in completing this task. We have created several How-To articles relating to creating DMARC records that can be found in the User Guide.
If VCG is not managing your DNS, you'll need to work with your DNS provider to implement your DMARC policy. The Internet provides a wealth of information on DMARC for your reference.
If you're a domain owner, you'll first need to configure SPF records and DKIM keys on all outbound mail streams. DMARC relies upon these technologies to ensure signature integrity. A message must fail both SPF and DKIM checks to also fail DMARC. A single check failure using either technology allows the message to pass DMARC.
If you're a domain owner and VCG is hosting your DNS, we will work with you to configure your SPF records and DKIM keys.
Here are some things to keep in mind:
- If you setup your DMARC policy to receive reports (optional but recommended), you'll receive a daily report from each participating email provider so you can see how often your emails are authenticated, how often invalid emails are identified, and policy actions requested and taken by IP address. Please note, however, that these reports are technical in nature (typically providing in XML format), however, there are a number of online DMARC interpretation tools that you can subscribe to, free of charge, that will translate the data you receive into easy to read reports.
- You might want to adjust your policy as you learn from the data in these reports. For example, you might adjust your actionable policies from “monitor” to “quarantine” to “reject” as you become more confident that your own messages will all be authenticated.
DMARC Record Creation
- DMARC Record Assistant
- Agari DMARC Record Generator
- Return Path DMARC Record Generator (registration required)
- DMARC Wizard (record creation) at UnlockTheInbox.com
DNS Record Lookup and Parsing
- dmarcian.com DMARC Inspector (retrieve and parse DMARC record for a domain)
- OTA Query Tool for DMARC Records
- SPF Record Test Tool
- dmarcian.com SPF Surveyor (recursively retrieve and expand SPF records)
Send a message to the following services, where it will be evaluated according to several authentication systems. For message reflectors, send an email message from the domain you wish to check, and a report will be sent back.
- Message reflector: firstname.lastname@example.org at dmarc.org (DMARC reports sent every 5 minutes) (2014-Dec-26: Back online)
- Message reflector: email@example.com by Port25 (instructions – DK, DKIM, Sender-ID, SPF)
- Message reflector: firstname.lastname@example.org by Return Path (DK, DKIM, DMARC, Sender-ID, SPF)
- Message reflector: email@example.com by Sendmail/Proofpoint (DKIM, Sender-ID, SPF)
- Message reflector: firstname.lastname@example.org by Unlock The Inbox (DK, DKIM, DMARC, Sender-ID, SPF)
- DMARC, DKIM and SPF Test System at NIST
- The Validator (of DKIM, DMARC and SPF – registration required) by Message Systems
Report Parsing and Display
- dmarcian.com DMARC XML-to-Human Converter
See Also "What is an SPF Record?"
See Also "What is a DKIM Record?"