DMARC

From Postmaster Administration Wiki
Jump to: navigation, search

Domain-based Message Authentication, Reporting & Conformance

DMARC is a policy layer on top of DKIM and SPF. It is intended to prevent domain name impersonation ("phishing") and abuse. It also specifies a means for forensic reporting so that domain owners can gather statistics and monitor abuse.

Getting Started

For a sender, ensure that both SPF and DKIM are implemented. With those pieces in place, add to your domain's DNS zone a TXT record similar to this, where example.com is replaced by your domain:

_dmarc.example.com.	900 IN TXT	"v=DMARC1; p=none; rua=mailto:dmarc_reports@example.com"

The above allows a sender to start testing their configuration and gather daily aggregate reports from recipient servers concerning the sender's domain. DMARC allows for one or more email and/or HTTP URLs for report gathering. Once satisfied, the _dmarc.example.com. record should change the policy p=none to p=reject. Note the 900 TTL can be removed or set larger once the final DMARC record is approved; the shorter TTL is just used during testing and evaluation.

References