Fraudulent emails are becoming more and more dangerous. It is often difficult for the recipient to differentiate them from real emails: they show a known sender name and take the familiar look of emails from a known newsletter or services. To combat this threat, the verification mechanism DMARC (Domain-based Message Authentication Reporting and Conformance) was created, which in Spanish translates as Domain-based Message Authentication , Reports and Compliance.
To contain the danger of phishing attacks , different security standards have been established:
As a domain owner, you do not want a scammer to send harmful or spam emails on your behalf. If so, your domain would appear on the blacklists and your email messages would be rejected by many mail servers ( bounces ) or treated as spam..
An example: María González owns the domain test.com and sends her e-mails with the address [email protected] . If now a scammer takes advantage of the address [email protected] and uses it as spam mail , the domain test.com is added to the blacklists and the receiving servers block emails from [email protected] .
DMARC is short for Domain-based Message Authentication Reporting and Conformance. This concept was developed so that the receiving servers would verify the authenticity of the emails (through SPF and DKIM) and, in the event of a negative result, also take measures previously agreed with the owner of the domain of the sent email.
The domain owner informs all potential email recipients (i.e. their servers) that they have signed their emails with DKIM and / or verified them with SPF. It asks them to verify all emails from their domain and in suspicious cases (if the verification is negative) take action. This is communicated by including a record in the domain zone and in the email header ..
The receiving server checks if the email can be authenticated with at least one of two standards: DKIM or SPF. If it is not possible, then it is considered as "suspicious", and it may be a fake. For example, a third party abuses the return address for their own interests.
The domain owner can recommend the following actions to recipients :
This recommendation is set out in the DMARC report (below)..
The reporting or report is also part of DMARC. Receiving servers must regularly send a report to the sender's domain informing about suspicious emails (that is, those that could not be authenticated, neither with DKIM, nor with SPF). These email addresses are registered with DMARC.
Receiving servers are not required to consider the DMARC record. Just because you don't get notices about negative DKIM or SPF checks doesn't necessarily mean everything is fine.
Field
Meaning
v = DMARC1
DMARC record version; DMARC1 indicates the current version.
p =
sp =
Recommendation on how the recipient should act in case of negative DKIM and SPF result:
- none : no action, it is processed as usual
- quarantine : the email is quarantined
- reject : the email is rejected ( bounce )
p means? policy ?
sp means? subdomain-policy ? and refers to the subdomain.
pct =
Percentage of emails that should be treated according to the policy established above; that value is usually 100.
street
Defines whether the receiving server should send an aggregated report on "suspicious" emails and to which address it should. (Important: take into account the provisions on data protection).
ruf
Like rua , but this is the "forensic" report that contains all the details about the "suspicious" emails. (Important: take into account the provisions on data protection).
fo
Failure Reporting Options are the special configuration options regarding the notifications of emails with negative results:
- fo = 0 : when SPF and DKIM establish negative result. This is the default setting.
- fo = 1 : when one of the two processes (SPF and DKIM) does not? pass? the verification.
- fo = d : report DKIM failure if the signature is not correct, even if the key matches.
- fo = s : report SPF failure if SPF authentication fails for any reason, even if the SPF records in the header and the DNS report match. Multiple options separated by colons can be included in the DMARC record.
rf
Report format:
- afrf : Authentication Failure Reporting Formats (negative report authentication format)
- iodef : Incident Object Description Exchange Format (format for the description and exchange)
The afrf format comes by default.
ri
Reporting Interval to indicate in seconds; The standard is 86 400, that is, 24 hours (once a day).
adkim
aspf
Settings for DKIM or SPF verification:
- s = Strict : the domain must match exactly (strict). For example: [email protected]
- r = Relaxed : it can be a subdomain (relaxed). For example: [email protected]
Before you can create a DMARC record, you must have created the records for DKIM and SPF (you will find more information about this in the link above the article).
On the Internet you will find tools with which you can create a DMARC record, such as, for example, EasyDmarc's DMARC Record Generator, which copies this record as a TXT record with the _dmarc subdomain in the domain zone of the server name.
First of all, it is recommended to leave the policy section at? None? and observe for a while with the help of the reports if DMARC works as desired.
You have to add the DMARC record that you have created on your nameserver as a TXT Resource Record . To do this, log in to the hosting of your domain and open the configuration (in the example above it would be the domain gmx.es ). In the cPanel hosting tool, the corresponding menu item is called "Zone Editor". There you create a new TXT record with the subdomain name _dmarc . The full name with which you access your DMARC record is, following our example, _dmarc.gmx.es .
See the Help Center for instructions on setting up a DMARC record for a DMARC domain at IONOS.
Depending on the nameserver, the DMARC record takes between a few minutes and hours to publish. If you want to check that the record has been published correctly, you can use many tools on the Internet, such as EasyDMARC's DMARC Record Lookup.
The easiest thing is to create a new email address on your domain reserved for DMARC reports. In our example: [email protected]