allanwallace.uk : Blog

A beginners guide to DMARC.


What is Domain-based Message Authentication, Reporting & conformance?
( What is DMARC? )

Domain-based Message Authentication, Reporting & Conformance - or as it is better known DMARC - was started in 2010/2011 in order to help a domain's owner prove it's genuine emails are genuine, have not been tampered with, and originate from an email server that is authorised to send them.


SPF and DKIM combine with DMARC into a fairly solid solution to the problem of proving your emails are genuine (and others are fake).



What DMARC does: (In theory)

DMARC can do several things

• DMARC can set a policy on how to handle emails that fail SPF check.
• DMARC can set a policy on how strict the SPF check is. (aspf=s vs aspf=r)

• DMARC can set a policy on how to handle emails that fail DKIM check.
• DMARC can set a policy on how strict the DKIM check is. (adkim=s vs adkim=r)

• DMARC can set a policy on whether a compatible email server should provide reports on email delivery success and failure

• DMARC can set a policy on what percentage of emails to apply the rules to
• DMARC can set a policy on how to handle emails from subdomains.

It is only once DMARC is implemented correctly that the SPF for a domain can have an impact on email from a subdomain.
It is only once DMARC is implemented correctly that the DKIM for a domain can have an impact on email from a subdomain.


Notes:

• You can implement DMARC with loose policy in the beginning.
• You can use the reporting options / forensic reporting options to get reports on the email delivery with that in effect.
• You can use the information from those reports to increase the strictness of the DMARC policy.



How to create your first DMARC policy:


This is a DMARC policy:

v=DMARC1; p=none; sp=none; pct=100; fo=1; rua=mailto:rua@example.com; ruf=mailto:ruf@example.com; aspf=r; adkim=r


What this means:

v=DMARC1
I am a DMARC policy


;
is a separator between parts of the DMARC record.


p=none
(this means policy=none)
There is no policy for how you should handle email from this domain.


sp=none
(this means subdomain policy=none)
There is no policy for how you should handle email from subdomains of this domain.


pct=100
(percentage=100)
Apply this non-policy to 100% of emails.
This is the default, there is no requirement to put it in unless you want a different value.


fo=1
(forensic reporting = 1)
This generates the most comprehensive reports about emails that fail SPF or DKIM checks.
These can be useful.


rua=mailto:rua@example.com
This is the address for aggregate reports to be delivered to.
If you wanted to, you could add addresses seperated by the , symbol.
(If you want to add an address that is on a different domain, there are additional considerations.)


ruf=mailto:ruf@example.com
This is the address for forensic reports to be delivered to
If you wanted to, you could add addresses seperated by the , symbol.
(If you want to add an address that is on a different domain, there are additional considerations.)


aspf=r
(SPF alignment check = relaxed)
In other words, if your email is from a subdomain, but sent from a server listed in the parent domain's SPF, the email is allowed.


adkim=r
(DKIM alignment check = relaxed)
In other words, if your email is from a subdomain, but the DKIM key it was signed with is from the parent domain, the email is allowed.


In theory, the above DMARC allows emails to be delivered regardless.

The particularly useful bit is this allows you to find where your genuine emails are being sent from, and to an extent fake ones too.

In essence, that's it, that's DMARC, relaxed non-strict DMARC.

Perhaps not the best practice option.



This is my DMARC policy:
v=DMARC1;p=reject;sp=reject;aspf=s;adkim=s;fo=1;rua=mailto:rua@allanwallace.uk;ruf=mailto:ruf@allanwallace.uk


What this means:

v=DMARC1
I am a DMARC policy


;
is a separator between parts of the DMARC record.


Where have the spaces gone?
Spaces are not required by the specification so I don't waste the bytes.


p=reject
(this means policy=reject)
REJECT emails from this domain that fail SPF / DKIM checks.


sp=reject
(this means subdomain policy=reject
REJECT emails from subdomains of this domain that fail SPF / DKIM checks


aspf=s
(SPF alignment check = STRICT)
SPF is checked against the FQDN (the part of the email address after the @symbol).
i.e.
Emails from info@example.com would be checked against the SPF published as a TXT record at example.com
Emails from info@www.example.com would be checked against the SPF published as a TXT record at www.example.com

In aspf=s (strict) mode, the above apply.
In aspf=r (relaxed) mode, you can send an email from @www.example.com but DMARC check it against the SPF record published at example.com


adkim=s
(DKIM alignment check = STRICT)
DKIM is checked against the FQDN (the part of the email address after the @symbol).
i.e.
Emails from info@example.comwith a selector of 20181017 would be checked against the 20181017._domainkey.example.com DKIM record.
Emails from info@www.example.com with a selector of 20181017 would be checked against the 20181017._domainkey.www.example.com DKIM record.

In adkim=s (strict) mode, the above apply.
In adkim=r (relaxed) mode, you can send an email from @www.example.com but DMARC check it against the DKIM key published at example.com


fo=1
forensic reporting = 1)
This generates the most comprehensive reports about emails that fail SPF or DKIM checks.


rua=mailto:rua@allanwallace.uk
This is the address for aggregate reports to be delivered to.


ruf=mailto:ruf@allanwallace.uk
This is the address for forensic reports to be delivered to.


Because I test using gmail.com I do get forensic reports, which can be useful for monitoring purposes.


In theory, the above DMARC states:
If the email is from @allanwallace.uk, passes SPF check against allanwallace.uk, passes DKIM check against allanwallace.uk, it is genuine.
If the email is from @www.allanwallace.uk, passes SPF check against www.allanwallace.uk, passes DKIM check against www.allanwallace.uk, it is genuine.
If the email fails either check it is not genuine.
If the email fails both checks it is not genuine.

and:
Whether the email is genuine or not, please send forensic reports to me for analysis.



How to implement DMARC, how to implement your first DMARC policy:
(AKA the 5 steps to implementing SPF DKIM and DMARC)

1 - Implement SPF.

2 - Choose one email service provider / setup a mailserver that supports DKIM.
- I haven't done this with gmail.com

3 - Implement DKIM.

4 - Test and confirm both SPF and DKIM working.
- I use a gmail account for testing, it works very well for this purpose. If DKIM isn't working properly, it tends to go to junk.

5 - Implement DMARC.
(Ok, you don't NEED to implement DMARC, but as per point 0...)

6 - Test DMARC.
- if you get it right first time, you can skip this step.


Combined with SPF and DKIM, DMARC can go a long way towards proving your emails are 100% genuine
- and faked ones from others are 100% fake.

This is only part of the solution, and is simplifying somewhat, but that is in essence what it is.
Phishing is a risk. CEO fraud is a risk. Why make it easy for criminals and spammers?


Last Updated 2019/06/19 00:12 CET.

Cookie Policy
Privacy Policy
Security Policy
Terms & Conditions

© 2019 Allan Wallace