Create a DMARC policy
Domain-based message authentication, reporting and compliance (DMARC) is an inbound mail policy built on top of SPF and DKIM records, designed to detect and prevent fraudulent mail.
When you add a DMARC policy to your domain, you choose to inform the recipient that your emails are protected by SPF and/or DKIM records, and what to do if your DMARC policy does not align with those records.
Example of the DMARC sending process
The sender adds a DMARC policy to your domain.
An email is sent.
The recipient checks if the email contains a DMARC policy.
If so, the SPF/DKIM records mentioned in the sender's DMARC policy are validated.
If the SPF/DKIM records pass validation, they must pass something called 'alignment'.
If the 'alignment' is passed, the mail is received.
If the 'alignment' is not passed (even if the SPF/DKIM check is passed), the message fails. This helps ensure that fraudulent activity that appears to come from the domain is blocked.
The DMARC policy checks the domain name listed in the Sender: field of the message. It then compares that domain with other authenticated domain names listed in the mail header. If they are identical, your DMARC policy is aligned.
If not, you should contact your mail server and ask for instructions on how to make sure your records are aligned.
Strict and relaxed alignment
The alignment in your policy can be set as strict or relaxed.
Strict alignment - the domains must be identical.
Relaxed alignment - the top-level 'organisational domain' must match.
The 'Organisational Domain' is your domain name followed by its suffix. For example:
example.com
example.net
example.com.au
The sender's DMARC policy contains information on how to handle emails that fail authentication. Two types of reports can be created:
Aggregate reports - sent as XML format once a day, consisting of aggregated data of all DMARC failures.
Forensic reports (aka failure reports) - generated immediately and consists of individual mails that failed.
Set up an SPF and/or DKIM record on your domain.
Send an email to yourself (or another address you own). Once received, view your headers. Verify the domain alignment by identifying the domain listed as the sending address. It can be located in the following places:
The From domain envelope - From: [email protected]
The return path - [email protected]
The d=domain in the DKIM-Signature - DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=example.com;
The domains mentioned in all these areas must be identical, otherwise DMARC will fail to align.
Create two separate email addresses to receive forensic reports and daily DMARC aggregates. It is recommended that you create two mail addresses, as you may receive a large number of reports. For example:
[email protected]
[email protected]
Create the TXT record.
In your dashboard, navigate to the Manage Domains page.
Click the DNS link under your domain.
When the following page opens, enter a new TXT record as shown in the example below:
Name - _dmarc
Type - TXT
Value - Below is a basic configuration that handles most of your DMARC needs. Just be sure to set the mailing addresses to the addresses you created earlier to receive incoming reports.
v=DMARC1; p=none; fo=1; rua=mailto:[email protected];ruf=mailto:[email protected];pct=100
See the section below for more details on the different options you can use.
Within 4-6 hours, the log will be updated online.