DMARC policy settings
Configure a DMARC policy for Qboxmail domains to control how recipients handle failed SPF and DKIM checks.
What a DMARC record is and what it is used for
DMARC is an email authentication protocol that allows the owner of a domain to specify how recipients should handle messages that are not authentic.
DMARC therefore allows a sender to require recipient servers to apply a specific behavior to messages that use one of their domains as the sender (From:) when the SPF and DKIM settings are not valid.
The DMARC email authentication system helps protect against fraud, such as spoofing or phishing, with forged senders. DMARC also makes it possible to receive daily XML reports from recipient servers about email traffic, so you can verify that the servers sending email on your behalf are legitimate.
Set up a DMARC record
Before activating a DMARC policy for your domain, make sure the SPF record is configured correctly.
Setting up a DMARC record requires choosing how suspicious emails should be handled, meaning messages that do not comply with the domain's SPF and DKIM settings.
The policy (p) options are:
- none: no action is performed on the message.
- quarantine: messages are marked as spam and moved to the Spam folder.
- reject: the recipient server is asked to reject the message.
We recommend enabling DMARC policies gradually, starting from none and only
then moving to quarantine and finally reject.
An example DMARC record can be:
v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.qboxmail.com; ruf=mailto:ruf@dmarc.qboxmail.comThis tells recipient servers to mark suspicious messages as spam and send the daily report to rua@dmarc.qboxmail.com.
To apply the record shown above, create a TXT record in the domain DNS:
| Record name | Record type | Value |
|---|---|---|
| _dmarc.mycompany.com | TXT | v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.qboxmail.com; ruf=mailto:ruf@dmarc.qboxmail.com |
Qboxmail interprets and applies the DMARC policies set by senders and supports sending daily XML reports.
You can also use web tools to create your DMARC policies: https://www.kitterman.com/dmarc/assistant.html
DMARC reports
DMARC allows you to receive daily reports about the email traffic associated with your domain. Recipient servers generate the reports and send them to the addresses specified in the rua field of the DMARC record configured in DNS. We recommend using an address provided by the email provider or security service that manages report analysis.
Reports allow you to:
- identify domain abuse;
- detect unauthorized sends;
- identify incorrect configurations or legitimate services that send email without complying with DMARC policies.
Without reports, many abuse activities are not visible.
DMARC report management in Qboxmail
Through the Email Security service, we generate and send DMARC reports to all domains that configure a valid DMARC record with a reachable rua address.
Every day, our systems analyze millions of email messages from thousands of domains.
Specifically, for each domain:
- received message data is collected and analyzed;
- message results are checked against the configured DMARC policy;
- XML reports compliant with the DMARC standard are generated;
- reports are sent to the addresses specified in the rua field.
For Email Providers that want to correctly identify DMARC reports sent by Qboxmail, messages are sent with the following characteristics:
- sender: report@dmarc.qboxmail.com
- sending server: dmarcreport.qboxmail.com
Sending DMARC reports is a voluntary activity that helps ensure a safer email service for all parties involved.
DMARC limits with forwards and automatic replies
Automatic replies and forwards may have issues if the domain has a DMARC
policy set to p=quarantine or p=reject.
This is because automatic replies and forwards require rewriting the sender: the recipient server would see a message from the original sender arriving through our forwarding servers, but the original sender's SPF record does not authorize our systems to send on their behalf.
For this reason, the sender must be rewritten using Sender Rewriting Scheme (SRS). However, this technique is not currently fully compatible with DMARC, so you need to remove the DMARC record or set the policy to p=none.
Here is an example DMARC record to use in these cases:
v=DMARC1; p=none; rua=mailto:rua@dmarc.qboxmail.com; ruf=mailto:ruf@dmarc.qboxmail.comVerify that the DMARC record is correctly configured in DNS
To verify that the DMARC record is correctly configured on your domain, run the nslookup command from a terminal:
nslookup -q=txt _dmarc.mycompany.comThe result should be:
_dmarc.mycompany.com text = "v=DMARC1; p=quarantine; rua=mailto:rua@dmarc.qboxmail.com; ruf=mailto:ruf@dmarc.qboxmail.com"Learn more about SPF, DKIM, and DMARC on the Qboxmail website.