DMARC stands for Domain-based Message Authentication and Conformance. A DMARC policy allows a sender’s domain to indicate that their emails are protected by records like SPF, DKIM, etc. and tells a receiver what to do if neither of those authentication methods passes – such as to reject the message or quarantine it. The policy can also specify how an email receiver can report back to the sender’s domain about messages that pass and/or fail. DMARC records are published as DNS record in domain’s DNS.
Fields in the DMARC record:
The different fields in the DMARC record are given below.
v= It specifies the protocol version applicable to this record. In the case of DMARC, it is DMARC1. p= The value of parameter p defines the policy the sending MTA advises the receiving MTA to follow. It may take one of the following values. none - No specific advice is offered to the receiving MTA. quarantine - Advises the receiving MTA to treat any email that fails any DKIM and/or SPF checks as suspicious and perform additional checks or mark the mail as suspected SPAM or whatever local policy is in operation. reject - Advises the receiving MTA to reject any email that fails any DKIM and/or SPF checks. sp= The parameter sp can take the same values as that of the p. The value of sp present in the dmarc record advices the policy to be followed by the receiving MTA in the case of the subdomains. If this value is absent then the policy defined for domain ie. p is taken into consideration. rf= This defines the reporting format the sending MTA requests from the receiving MTA. This may take the following values. afrf - Message format for error reporting (Abuse Report format) is defined by RFC 5965. iodef - Message format for error reporting (Incident Object Description Exchange Format) is defined by RFC 5070. pct= Defines the percentage of mail to which the DMARC policy applies. If omitted defaults to pct=100 (100%), all mail is subject to DMARC processing. ri= Defines the time in seconds between reports requested from the receiving MTA. Receiving MTAs must be able to send daily (86400) reports and should be able to send hourly (3600) reports. ruf= If not present detailed failure reports will not be sent from the receiving MTA. URLs must be of the format mailto:user@example.com.
DMARC records
Name: _dmarc TTL : 14400 Type: TXT
Following records specifies how the recipient should handle the emails from a domain if it fails SPF/DKIM check.
No Action: This record specifies that no action is to be taken if the email fails in SPF/DKIM check.
v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400
Reject: This record specifies to reject the emails from the domain if the email fails in SPF/DKIM check.
v=DMARC1; p=reject; sp=none; rf=afrf; pct=100; ri=86400
Quarantine: This record specifies whether no action needs to be taken if the SPF/DKIM check is failed.
v=DMARC1; p=quarantine; sp=none; rf=afrf; pct=100; ri=86400
To get an email report of failed DMARC validations, the email address can be added along with this record in order to get notified when emails sent from domain fails SPF/DKIM check. Replace the email address in the record with a valid email address.
No Action: v=DMARC1; p=none; sp=none; ruf=mailto:user@example.com; rf=afrf; pct=100; ri=86400 Reject: v=DMARC1; p=reject; sp=none; rf=afrf; pct=100; ruf=mailto:user@example.com; ri=86400 Quarantine: v=DMARC1; p=quarantine; sp=none; ruf=mailto:user@example.com; rf=afrf; pct=100; ri=86400
Adding DMARC record for a domain in WHM.
1. Login to WHM.
2. Go to DNS Functions >> Edit DNS Zone >> Choose a Zone to Edit >> Edit.
3. New records can be added under the field “Add New Entries Below this Line”.
4. Select TXT Record from the drop-down field and keep the TTL value to default.
5. Add the suitable DMARC records and click “Save” on the bottom left of the page.
Adding DMARC record for a domain in cPanel.
1. Login to cPanel.
2. Click on Zone Editor under Domains.
3. You will see a list of domains that are being managed by your cPanel account. Click on Manage next to the domain for which you will add the DMARC record.
4. You will then redirected to a page which contains zone records associated with the domain. To add a new record to this zone select “Add Record”.
5. From the drop-down menu select TXT record and enter the suitable DNS record. Click Add Record to save your record.
Adding DMARC record from the backend of the server.
This method is not recommended, please proceed with care.
In order to add the record directly from the backend of the server please follow the steps below. The zone file is stored as a database file with name format like domain.com.db. In this case, DNS is served by bind/named so the location of the zone file will be /var/named.
Change the present working directory to /var/named.
cd /var/named
For example, the DMARC record needs to be added for the domain example.com, then open the zone file named example.com.db using a text editor.
vi example.com.db
Now add the appropriate DMARC record to the zone file.
_dmarc 14400 IN TXT "v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400"
Increment the serial number of the zone file to indicate that the zone file is updated. Save and exit from the text editor.
Now restart the DNS service.
service named restart
Get rid of all the hassles of server management. Our server management services include server hardening, 3rd party software installations, 24/7 server monitoring, reboot assistance, server migrations, backup configuration – by entrusting the management of your with SupportSages.