DMARC policy settings
What is a DMARC policy and what it is used for
DMARC is an email authentication protocol that allows a domain owner to specify how recipients should behave if a message they receive is not authentic.
Therefore, DMARC allows a sender to impose recipient servers to perform certain behaviors on messages that have their own domain (From :), if the SPF and DKIM settings are not valid.
The DMARC email authentication system is used to protect against spoofing or phishing attempts sent by unreliable senders. DMARC can produce daily reports in XML format regarding the flow of emails. This helps verifying that the servers sending emails on your behalf are legitimate.
Set a DMARC policy
Before activating a DMARC policy for your domain, make sure that the SPF record is set correctly.
Setting up a DMARC record requires you to choose how suspicious emails are handled. Emails are considered suspicious when they don't conform to the domain's SPF and DKIM settings.
Policy options (p) are:
- none: no action is performed on the message;
- quarantine: messages are marked as spam and moved to the Spam folder of Qboxmail;
- reject: the recipient server is required to reject the message.
We recommend activating DMARC policies gradually, starting from 'None', followed by 'Quarantine' and 'Reject'.
An example of DMARC record could look this:
v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.qboxmail.com; ruf=mailto:ruf@dmarc.qboxmail.com
This record instructs recipient servers to mark suspicious messages as spam and sends the daily report to the address rua@dmarc.qboxmail.com.
To apply the above record, it is necessary to create a TXT type record in the domain DNS:
Record Name | Record Type | Value |
---|---|---|
_dmarc.mycompany.com | TXT | v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.qboxmail.com; ruf=mailto:ruf@dmarc.qboxmail.com |
Qboxmail interprets and applies the DMARC policies set by the sender but does not include the sending of daily XML reports.
It is also possible to use web tools to create your own DMARC policies: https://www.kitterman.com/dmarc/assistant.html
Verify the correct setting of the DMARC record in DNS
In order to verify the correct setting of the DMARC record on your domain, you can run the nslookup command from the terminal:
nslookup -q=txt _dmarc.mycompany.com
which should show, as a result:
_dmarc.mycompany.com text = "v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.qboxmail.com; ruf=mailto:ruf@dmarc.qboxmail.com