+5 votes
in Email security by (242k points)
DMARC: Email Domain Abuse Detection

1 Answer

+3 votes
by (1.6m points)
Best answer

A challenge: protect domain reputation
One solution: DMARC
What is DMARC and how it works
The content of the DMARC record
Create a DMARC record
Add the DMARC record on the nameserver
Check a DMARC record
Configure the email address for reports


DMARC: Email Domain Abuse Detection

Fraudulent emails are becoming more and more dangerous. It is often difficult for the recipient to differentiate them from real emails: they show a known sender name and take the familiar look of emails from a known newsletter or services. To combat this threat, the verification mechanism DMARC (Domain-based Message Authentication Reporting and Conformance) was created, which in Spanish translates as Domain-based Message Authentication , Reports and Compliance.

  1. A challenge: protect domain reputation
  2. One solution: DMARC
    1. What is DMARC and how it works
    2. The content of the DMARC record
    3. Create a DMARC record
    4. Add the DMARC record on the nameserver
    5. Check a DMARC record
    6. Configure the email address for reports

A challenge: protect domain reputation

To contain the danger of phishing attacks , different security standards have been established:

  • SPF (Sender Policy Framework), to verify the address of the sender of emails.
  • DKIM (DomainKeys Identified Mail), to verify the authenticity of emails by means of digital signature.

As a domain owner, you do not want a scammer to send harmful or spam emails on your behalf. If so, your domain would appear on the blacklists and your email messages would be rejected by many mail servers ( bounces ) or treated as spam..

An example: María González owns the domain test.com and sends her e-mails with the address [email protected] . If now a scammer takes advantage of the address [email protected] and uses it as spam mail , the domain test.com is added to the blacklists and the receiving servers block emails from [email protected] .

One solution: DMARC

DMARC is short for Domain-based Message Authentication Reporting and Conformance. This concept was developed so that the receiving servers would verify the authenticity of the emails (through SPF and DKIM) and, in the event of a negative result, also take measures previously agreed with the owner of the domain of the sent email.

What is DMARC and how it works

The domain owner informs all potential email recipients (i.e. their servers) that they have signed their emails with DKIM and / or verified them with SPF. It asks them to verify all emails from their domain and in suspicious cases (if the verification is negative) take action. This is communicated by including a record in the domain zone and in the email header ..

The receiving server checks if the email can be authenticated with at least one of two standards: DKIM or SPF. If it is not possible, then it is considered as "suspicious", and it may be a fake. For example, a third party abuses the return address for their own interests.

The domain owner can recommend the following actions to recipients :

  1. return suspicious email,
  2. quarantine it
  3. or accept it anyway and just notify the domain owner.

This recommendation is set out in the DMARC report (below)..

The reporting or report is also part of DMARC. Receiving servers must regularly send a report to the sender's domain informing about suspicious emails (that is, those that could not be authenticated, neither with DKIM, nor with SPF). These email addresses are registered with DMARC.


Receiving servers are not required to consider the DMARC record. Just because you don't get notices about negative DKIM or SPF checks doesn't necessarily mean everything is fine.

The content of the DMARC record



v = DMARC1

DMARC record version; DMARC1 indicates the current version.

p =

sp =

Recommendation on how the recipient should act in case of negative DKIM and SPF result:

- none : no action, it is processed as usual

- quarantine : the email is quarantined

- reject : the email is rejected ( bounce )

p means? policy ?

sp means? subdomain-policy ? and refers to the subdomain.

pct =

Percentage of emails that should be treated according to the policy established above; that value is usually 100.


Defines whether the receiving server should send an aggregated report on "suspicious" emails and to which address it should. (Important: take into account the provisions on data protection).


Like rua , but this is the "forensic" report that contains all the details about the "suspicious" emails. (Important: take into account the provisions on data protection).


Failure Reporting Options are the special configuration options regarding the notifications of emails with negative results:

- fo = 0 : when SPF and DKIM establish negative result. This is the default setting.

- fo = 1 : when one of the two processes (SPF and DKIM) does not? pass? the verification.

- fo = d : report DKIM failure if the signature is not correct, even if the key matches.

- fo = s : report SPF failure if SPF authentication fails for any reason, even if the SPF records in the header and the DNS report match. Multiple options separated by colons can be included in the DMARC record.


Report format:

- afrf : Authentication Failure Reporting Formats (negative report authentication format)

- iodef : Incident Object Description Exchange Format (format for the description and exchange)

The afrf format comes by default.


Reporting Interval to indicate in seconds; The standard is 86 400, that is, 24 hours (once a day).



Settings for DKIM or SPF verification:

- s = Strict : the domain must match exactly (strict). For example: [email protected]

- r = Relaxed : it can be a subdomain (relaxed). For example: [email protected]

Create a DMARC record

Before you can create a DMARC record, you must have created the records for DKIM and SPF (you will find more information about this in the link above the article).

On the Internet you will find tools with which you can create a DMARC record, such as, for example, EasyDmarc's DMARC Record Generator, which copies this record as a TXT record with the _dmarc subdomain in the domain zone of the server name.

In easydmarc's DMARC Record Generator you can create the form-controlled DMARC report that is displayed in green at the bottom of the image.

First of all, it is recommended to leave the policy section at? None? and observe for a while with the help of the reports if DMARC works as desired.

Add the DMARC record on the nameserver

You have to add the DMARC record that you have created on your nameserver as a TXT Resource Record . To do this, log in to the hosting of your domain and open the configuration (in the example above it would be the domain gmx.es ). In the cPanel hosting tool, the corresponding menu item is called "Zone Editor". There you create a new TXT record with the subdomain name _dmarc . The full name with which you access your DMARC record is, following our example, _dmarc.gmx.es .


See the Help Center for instructions on setting up a DMARC record for a DMARC domain at IONOS.

Check a DMARC record

Depending on the nameserver, the DMARC record takes between a few minutes and hours to publish. If you want to check that the record has been published correctly, you can use many tools on the Internet, such as EasyDMARC's DMARC Record Lookup.

Accessing a DMARC record with a free tool using the domain nytimes.com as an example.

Configure the email address for reports

The easiest thing is to create a new email address on your domain reserved for DMARC reports. In our example: [email protected]