How do I configure a DMARC record to meet my organization's needs?

DMARC is a protocol for monitoring and controlling the e-mail flows of a mail domain.

Ready to set up your first DMARC record?

In order to fully benefit from DMARC, simply set up a DMARC record in your DNS zone:

  • Hostname : _dmarc.yourdomain.com 
  • Type : TXT 
  • Value : several possible values

Setting up this record normally takes no more than 5 mins. The purpose of this article is to set forth several possible values for your DMARC record that will allow your organization to meet its security, legal and control needs.

Examples of common DMARC records:

If you want to receive reports about who is sending emails with your domain name, as well as examples of emails sent with your domain name but failing their SPF or DKIM tests:

v=DMARC1; p=none; rua=mailto:yourmail@yourdomain.com; ruf=mailto:yourmail@yourdomain.com; fo=1;

You would like to receive reports on who is sending e-mails with your domain name, but you do not want to receive examples of e-mails sent with your domain name, so as not to store any personal data (e-mail addresses, e-mail subjects, etc.):

v=DMARC1; p=none; rua=mailto:yourmail@yourdomain.com;

If you want your recipients to receive emails not authenticated by your organization in their spam folder:

v=DMARC1; p=quarantine; rua=mailto:yourmail@yourdomain.com;

If you do not want your recipients to receive emails not authenticated by your organization:

v=DMARC1; p=reject; rua=mailto:yourmail@yourdomain.com;

If you do not want your recipients to receive emails that are not authenticated by your organization when they are sent from your top domain, but you want to tolerate the receipt of unauthenticated emails when they are sent with subdomains:

v=DMARC1; p=reject; sp=none; rua=mailto:yourmail@yourdomain.com;

If you do not want your recipients to receive unauthenticated email from your organization, but you do want them to receive unauthenticated email when it comes from a particular subdomain.

Set up a DMARC monitoring policy on the "subdomain" not to be monitored:

  • Hostname : _dmarc.subdomaindobeprotected.yourdomain.com
  • Type : TXT
  • Value : v=DMARC1; p=none; rua=mailto:yourmail@yourdomain.com;

If you want your recipients to receive only 30% of your organization's unauthenticated emails in their spam folder:

v=DMARC1; p=quarantine; pct=30 ; rua=mailto:yourmail@yourdomain.com;

This DMARC record allows to progressively deploy DMARC in "quarantine" mode by controlling the risks in case some legitimate email sources have not been identified during the analysis of the DMARC reports.

If you want to partition your suppliers so that they can only send e-mails to the subdomain they have been assigned:

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:yourmail@yourdomain.com;

Monitoring DMARC reports: a regular task over time

Setting up these DMARC records will allow you to receive a large number of DMARC XML reports like this one:

Once DMARC is implemented in "blocking" mode, it will be necessary to regularly analyze DMARC reports to ensure that all your legitimate email sources have been authenticated with SPF/DKIM. The mechanism (SPF/DKIM/DMARC) requires regular and careful maintenance.

To assist you, we have set up a managed, easy-to-use service to help you analyze these reports:

All Posts
×

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!

OK