Domain-Based Message Authentication, Reporting and Conformance (DMARC)

# Domain-Based Message Authentication, Reporting and Conformance (DMARC) DMARC aims to fix flaws in the [[Sender Policy Framework (SPF)|SPF]] and [[DomainKeys Identified Mail (DKIM)|DKIM]] standards. In order for DMARC check to pass one of two scenarios must happen: - The SPF check must pass (implies that SPF is used) and the `Return-Path` domain must align with the `From` domain. - The DKIM check must pass (implies that DKIM is used) and the domain used in the DKIM must align with the `From` domain. Notice the vocabulary used by DMARC: domains must 'align' and not necessarily 'match'. This is regulated by DMARC policy options. DMARC is specified in a DMARC DNS record that looks like this: `v=DMARC1; p=reject; rua=mailto:[email protected]` The record includes the following tags: - `p` indicates the DMARC policy. One of `none`, `quarantine` or `reject`. None is used for monitoring only. Quarantine accepts e-mails that do not pass the check. Reject rejects them outright. - `rua` list of `mailto` e-mails to send aggregate reports to. Most e-mail recipient servers do not do this, but more send aggregate reports than forensic reports. Google for instance sends aggregate reports but not forensic reports. - `ruf` list of `mailto` e-mails to send forensic (aka failure) reports to. Most e-mail recipient servers do not do this for privacy reasons. - `sp` DMARC policy (`none`, `quarantine` or `reject`) to be applied to subdomain e-mail that fails the check. Use this to set a wildcard policy that applies to all subdomains. - `fo` failure (or forensic) options. One of: - `0` send failure reports if both DKIM and SPF checks fail (default) - `1` send reports if either fail - `d` send reports if DKIM check has failed - `s` send reports if SPF check has failed - `pct` if `pct` is 50, will apply the specified policy to 50% of received e-mails. The other 50% will go through. Use this to ease into DMARC. Default is 1 i.e. 100%. - `adkim` and `aspf` specify the alignment mode for DKIM and SPF respectively. One of `r` (relaxed) or `s` (strict, which is the default). Relaxed domain alignment will pass for subdomains as well. - `ri` reporting interval in seconds. This will most likely be ignored by recipient servers. If you're using [DNSControl](https://stackexchange.github.io/dnscontrol/) you should be using the `DMARC_BUILDER` for building DMARC records instead of doing it yourself as it allows you to comment each part of the record and also allows for advanced functionality (see documentation). Example: ```js DMARC_BUILDER({ policy: 'reject', subdomainPolicy: 'quarantine', percent: 50, alignmentSPF: 'r', alignmentDKIM: 'strict', rua: [ 'mailto:[email protected]', 'https://dmarc.example.com/submit', ], ruf: [ 'mailto:[email protected]', ], failureOptions: '1', reportInterval: '1h', }) ``` ## Sources - [[All You Need to Know About SPF, DKIM and DMARC]] - [[Can I Use DMARC if I Have Only Deployed SPF – dmarc.org]] - [[DMARC - Wikipedia]] - [[Everything About a DMARC Record - DMARCLY]] - [[How Can SPFDKIM Pass, and Yet DMARC Fail]] - [[What Is a DMARC Policy All About the 3 Policies - DMARC Analyzer]] - [[What Is DMARC Identifier Alignment]]