DMARC policy settings
What is a DMARC policy and what it is used for
DMARC is an email authentication protocol that allows a domain owner to specify how recipients should behave if a message they receive is not authentic.
Therefore, DMARC allows a sender to impose recipient servers to perform certain behaviors on messages that have their own domain (From :), if the SPF and DKIM settings are not valid.
The DMARC email authentication system is used to protect against spoofing or phishing attempts sent by unreliable senders. DMARC can produce daily reports in XML format regarding the flow of emails. This helps verifying that the servers sending emails on your behalf are legitimate.
Set a DMARC policy
Warning
Before activating a DMARC policy for your domain, make sure that the SPF record is set correctly.
Setting up a DMARC record requires you to choose how suspicious emails are handled. Emails are considered suspicious when they don't conform to the domain's SPF and DKIM settings.
Policy options (p) are:
- none: no action is performed on the message;
- quarantine: messages are marked as spam and moved to the Spam folder;
- reject: the recipient server is required to reject the message.
Warning
We recommend activating DMARC policies gradually, starting from 'None', followed by 'Quarantine' and 'Reject'.
An example of DMARC record could look this:
v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.qboxmail.com; ruf=mailto:ruf@dmarc.qboxmail.com
This record instructs recipient servers to mark suspicious messages as spam and sends the daily report to the address rua@dmarc.qboxmail.com.
To apply the above record, it is necessary to create a TXT type record in the domain DNS:
| Record Name | Record Type | Value |
|---|---|---|
| _dmarc.mycompany.com | TXT | v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.qboxmail.com; ruf=mailto:ruf@dmarc.qboxmail.com |
Qboxmail interprets and applies the DMARC policies set by the sender and includes the sending of daily XML reports.
It is also possible to use web tools to create your own DMARC policies: https://www.kitterman.com/dmarc/assistant.html
DMARC reports
DMARC allows domain owners to receive daily reports on the email traffic associated with their domain. Receiving mail servers generate these reports and send them to the addresses specified in the rua field of the DMARC record configured in DNS. It is advisable to use an address provided by the email provider or by the security service that handles report analysis.
Reports help to:
- identify domain abuse;
- detect unauthorised sending;
- identify misconfigurations or legitimate services that send emails without respecting DMARC policies.
Note
Without reports, many abusive activities remain invisible.
DMARC report handling in Qboxmail
Through the Email Security service, we generate and send DMARC reports for all domains that configure a valid DMARC record with a reachable rua address.
Every day, our systems analyse millions of email messages from thousands of domains.
More specifically, for each domain we:
- collect and analyse data from received messages;
- verify message results against the configured DMARC policy;
- generate XML reports that comply with the DMARC standard;
- send reports to the addresses listed in the rua field.
Email Providers that want to correctly identify DMARC reports sent by Qboxmail receive messages with the following characteristics:
- sender: report@dmarc.qboxmail.com
- sending server: dmarcreport.qboxmail.com
Note
DMARC report delivery is a voluntary activity that helps ensure a more secure email service for all involved parties.
Verify the correct setting of the DMARC record in DNS
In order to verify the correct setting of the DMARC record on your domain, you can run the nslookup command from the terminal:
nslookup -q=txt _dmarc.mycompany.com
which should show, as a result:
_dmarc.mycompany.com text = "v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.qboxmail.com; ruf=mailto:ruf@dmarc.qboxmail.com
Tip
Learn more about SPF, DKIM & DMARC on the Qboxmail website.
