DMARC is short for Domain-based Message Authentication, Reporting and Conformance. As the name suggests, DMARC records enable a few different things:
Put simply, you can think of a DMARC record as a DNS record that extends the functionality of SPF and DKIM records. One problem with SPF and DKIM records is that receiving mail servers don’t know what you want them to do if one or more checks fail. DMARC solves that issue, as the record tells receiving servers exactly what should happen. And because you define the rules you have control over how receiving servers deal with SPF and/or DKIM failures.
At the same time you – the sender – can receive reports on email deliveries and failures. Although most people don’t use the reporting option, it is useful to be able to monitor outgoing emails.
You can add a DMARC record via cPanel:
Image: Adding a DMARC record via cPanel’s.
The Zone Editor automatically creates a name for the new record (here _dmarc.example.net.), and for the record’s value it suggests using the None policy. Which brings us to the first DMARC element…
A DMARC policy tells receiving mail servers what they should do with an email if the SPF or DKIM check fails. There are three options:
It might seem odd that None is the default policy. There is a good reason for that though. Because DMARC can report on email deliveries you can first set the policy to None and then check the reports to see if any genuine emails would have been rejected. In other words, you don’t have to dive in head-first. Instead, you can first create a basic DMARC record and then gradually tweak the policy.
If your SPF and DKIM records have been set up correctly there shouldn’t be any accidental email rejections. However, there are many edge cases (such as the issue that SPF often doesn’t work well with email forwarding). It is therefore recommended to start with the None policy, and to only switch to a stricter policy when the email reports show there are no issues.
DMARC has a lot more options than just the policy. You can click on the Optional Parameters link to view all options.
Image: The DMARC options shown in cPanel’s Zone Editor.
Most of the default options are sensible choices and you probably want to keep them as they are. The only exceptions are the Send Aggregate Mail Reports To and Send Failure Reports To options. You can use these options to get information about emails sent from your domain. I will discuss these two options first and then briefly explain the other optional parameters.
As said, when you use DMARC you can choose to receive aggregate reports and/or failure reports.
By default the two parameters are blank, which means that no reports are sent. If you want to receive either or both reports then you can enter one or more email addresses in the Send Reports To fields.
Note that you should enter the email address in the format ‘mailto:<email-address>’. For instance, if you want to receive reports at firstname.lastname@example.org then you enter the email address as ‘mailo:email@example.com’.
See the DMARC reports page for more information about the reports.
The Subdomain policy section has the same options as the Policy section. This section is only relevant if you sent emails from a subdomain such as firstname.lastname@example.org (here the subdomain is shop.example.com).
DMARC checks if the domain an email was sent from is correct. It does this by checking if the domain shown in the email’s ‘From’ header matches. For instance, when I sent an email from email@example.com then the domain example.net should show in the ‘From’ header. If the ‘From’ header shows a different domain, say ‘paypal.com’, then it is likely that the email address has been spoofed and that the email is spam.
There are two modes for both DKIM and SPF: Relaxed and Strict:
In Relaxed mode, which is the default option, an email from firstname.lastname@example.org that has the subdomain shop.example.net in the ‘From’ header would pass. However, the same email doesn’t pass in Strict mode.
The Percentage option specifies the percentage of emails from a domain that should be checked by receiving mail servers. This is an optional tag that was added to the DMARC specifications to allow domain owners to gradually roll out DMARC policies. We recommend keeping the default value (100). To test how DMARC affects email delivery it is better to start with the None policy, as discussed above.
The Generate Failure Reports When option specifies if a failure should be reported when all checks fail or when any checks fail. The default option is to only report failures when all checks fail.
DMARC reports can be sent in one of two formats. AFRF (Authentication Failure Reporting Format) is the most common format and recommended.
By default, aggregate reports are sent every day (86,400 seconds), while failure reports are sent in real time. You can change the reporting interval for aggregate reports to a lower value. However, the report interval is likely to be ignored – in all likelihood you will still receive your reports daily.