DMARC, the last step in enabling enhanced email security, is the reporting and compliance policy for domain-based message authentication to prevent phishing and
fraud using email spoofing.
Receiving server lookups DMARC record in DNS of the sender address (From) domain. According to the policy defined in DMARC record, receiving server
authenticates receiving mail. DMARC policy consists of using SPF and DKIM and what happens to mail processing when each authentication method fails.
Some mail services (ex. Gmail, Yahoo, etc.) recognize DMARC as spam and block delivery if DMARC not applied. We recommend using DMARC records for higher
delivery rate between mail deliveries.
DMARC DNS record registers the record in the sub-domain DNS with '_dmarc' in sender domain to the DMARC to be applied, such as '_dmarc.example.com.'
Following is an example of a DMARC DNS record.
"v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com;"
Describes the values used for DMARC records. For more information, please refer to RFC 7489.
Classification | Required | Value | Description |
---|---|---|---|
v | Required | DMARC1 (Fixed) | Version. |
p | Required | None, quarantine, reject | Policy for handling failure. |
sp | Optional | None, quarantine, reject | Failure handling policy for subdomains. |
pct | Optional | 0 \~ 100 (default 100) | The proportion of emails to which the policy to be applied. For example, if it is 50, half of the emails received |
will be authenticated by DMARC policy. | |||
adkim | Optional | s, r (default) | DKIM Alignment. Setting for matching level of DKIM-Signature domain (d) and From (5322.From). |
aspf | Optional | s, r (default) | SPF Alignment. Setting for the matching level of MAIL FROM (5321.From) and From (5322.From) during SPF authentication. |
rua | Optional | ||
ruf | Optional | ||
fo | Optional | 0 (default), 1, d, s | Criteria to generate a failure report (ruf). |
rf | Optional | afrf (fixed) | Setup for the failure report (ruf) format. |
ri | Optional | 86400 (default value, in seconds) | Period to count failures. A failure report (rua) is sent every set period. |
Failure Policy | Description |
---|---|
none | I hope the receiving server won't do anything about the failure. You can set it up in situations where SPF and DKIM are not used. |
quarantine | Receiving server wants to spam failed mails. |
reject | Return DMARC failed mail from the receiving server. Typically, the sender servers and receiving servers prefer the policy of status notification (DSN) responses during SMTP communication. |
Policy | Description |
---|---|
s | Strict. The domain part must match completely. |
r | Flexible (Relaxed). Also available with subdomains. For example, when 'd=example.com,' 'From: news.example.com' passes |
Criteria | Description |
---|---|
0 | Report when both SPF and DKIM fail. |
1 | Report when either SPF or DKIM fails. |
d | Report when DKIM authentication failure. |
s | Report when SPF authentication fails |
"v=DMARC1; p=none; fo=1; rua=mailto:${ address_to_receive_report }"
When referencing RFC 7489 document, some receiving servers may first implement DMARC authentication logic for SPF. DMARC authentication may fail if SPF record has a prefix - such as all. If DMARC authentication fails on some receiving servers, remove the prefix - such as all – in SPF record and try DMARC authentication again.
Note that DMARC does not fully guarantee that receiving server will handle it in accordance with DMARC policy. DMARC should be understood as the level at which the sending server proposes a policy to the receiving server. For example, even though failure policy was set to 'none', the receiving server still spam emails that fail authentication.
NHN Cloud performs DMARC authentication in accordance with document RFC 7489. If some receiving servers fail to receive mail, contact Customer Center > 1:1 Enquiry.