DMARC: Difference between revisions

From Acenet Knowledgebase
Jump to navigation Jump to search
Created page with " DMARC (Domain-based Message Authentication, Reporting and Conformance) is an e-mail authentication method designed to help reduce e-mail abuse. It builds upon the SPF (Sender..."
 
No edit summary
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:


DMARC (Domain-based Message Authentication, Reporting and Conformance) is an e-mail authentication method designed to help reduce e-mail abuse. It builds upon the SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication methods to provide a more reliable way to exchange email messages.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a standard that allows you to set policies on who can send email for your domain based on DKIM and SPF. If you are new to email authentication, we recommend first [[How to enable Email Authentication|reading about SPF and DKIM]]. <br>


In combination with SPF and DKIM, a DMARC policy in DNS allows you to set rules to reject or quarantine (junk folder) emails from sources you do not know. Through support from ISPs (Gmail, Yahoo, Microsoft and more) DMARC also allows you to receive reports on sending activity for your domain.  DMARC is based on a DNS TXT record that is added to the _dmarc subdomain of your domain. The format and values of the record defines your DMARC policies as well as where you would like to receive reports.  <br><br>


== How Does DMARC work ==
Acenet '''strongly''' recommends setting up a specific email address for the DMARC feedback reports.  You can use either "postmaster@" or possibly "dmarc@" your domain as the mailto address in the DNS record below.
<br><br>


DMARC standardizes how email receivers perform email authentication.  This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC.  This should encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.
== Implementing DMARC on your domain ==


 
DMARC is extremely powerful as a tool to stop email spoofing. At the same time, it's highly complicated and risky to implement. If you set a DMARC policy without knowing all of your email sources (mailboxes, email marketing, CRM, transactional email, server alerts, etc) you could potentially reject legitimate emails. It is recommended that you first set your DMARC policy to p=none. This will allow you to receive reports on the sending sources of your emails and slowly align all outgoing email with DKIM and SPF for your domain.
=== Configuring DMARC in DNS ===


To enable DMARC, add a TXT record to your domain's DNS zone file.
To enable DMARC, add a TXT record to your domain's DNS zone file.
Line 14: Line 15:
1) Log into cPanel
1) Log into cPanel


2) In the Domains section of cPanel, click Advanced DNS Zone File.
2) Under Domain, find your domain name and then click the Manage link.  It has a wrench near it.
 
3) Under Select a Domain, select the domain you want to add a record to.
 
4) Under Add a record, in the Name text box, type '''_dmarc'''


5) In the TTL textbox, enter '''14400'''
3) Under Add a record, click the down arrow, and select Add DMARC record.


6) In the Type list box, select '''TXT'''
4) In the TTL textbox, enter '''14400'''


7) In the TXT Data box, enter the DMARC configuration DATA.
5) In the TXT Data box, enter the DMARC configuration DATA.


{{note|Different mail providers handle DMARC policies in different ways. You may have to experiment with various DMARC configurations to find the one that works best for your domain.  
{{note|Different mail providers handle DMARC policies in different ways. You may have to experiment with various DMARC configurations to find the one that works best for your domain.  
Line 49: Line 46:
}}
}}


8) Click '''Add Record'''.
6) Click the optional Paramaters link to display additional settings.
 
7) Select Quarantine
 
8) You will need to enter an email address where mail reports will be sent to.  Acenet recommends a new box to be used exclusively for mail reports.  enter this address under Send Failure Reports to.  This can be checked periodically and then emptied.
 
9) Click the blue Add Record button.




===Testing your DMARC DNS record===
==Testing your DMARC DNS record==


After adding the DNS TXT record for DMARC, please allow a few hours for DNS Propagation.  
After adding the DNS TXT record for DMARC, please allow a few hours for DNS Propagation.  

Latest revision as of 10:47, 25 April 2019

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a standard that allows you to set policies on who can send email for your domain based on DKIM and SPF. If you are new to email authentication, we recommend first reading about SPF and DKIM.

In combination with SPF and DKIM, a DMARC policy in DNS allows you to set rules to reject or quarantine (junk folder) emails from sources you do not know. Through support from ISPs (Gmail, Yahoo, Microsoft and more) DMARC also allows you to receive reports on sending activity for your domain. DMARC is based on a DNS TXT record that is added to the _dmarc subdomain of your domain. The format and values of the record defines your DMARC policies as well as where you would like to receive reports.

Acenet strongly recommends setting up a specific email address for the DMARC feedback reports. You can use either "postmaster@" or possibly "dmarc@" your domain as the mailto address in the DNS record below.

Implementing DMARC on your domain

DMARC is extremely powerful as a tool to stop email spoofing. At the same time, it's highly complicated and risky to implement. If you set a DMARC policy without knowing all of your email sources (mailboxes, email marketing, CRM, transactional email, server alerts, etc) you could potentially reject legitimate emails. It is recommended that you first set your DMARC policy to p=none. This will allow you to receive reports on the sending sources of your emails and slowly align all outgoing email with DKIM and SPF for your domain.

To enable DMARC, add a TXT record to your domain's DNS zone file.

1) Log into cPanel

2) Under Domain, find your domain name and then click the Manage link. It has a wrench near it.

3) Under Add a record, click the down arrow, and select Add DMARC record.

4) In the TTL textbox, enter 14400

5) In the TXT Data box, enter the DMARC configuration DATA.

{{{1}}}

6) Click the optional Paramaters link to display additional settings.

7) Select Quarantine

8) You will need to enter an email address where mail reports will be sent to. Acenet recommends a new box to be used exclusively for mail reports. enter this address under Send Failure Reports to. This can be checked periodically and then emptied.

9) Click the blue Add Record button.


Testing your DMARC DNS record

After adding the DNS TXT record for DMARC, please allow a few hours for DNS Propagation.

Microsoft Windows

Type nslookup at a command prompt. At the nslookup> prompt, type the following commands, replacing example.com with the actual domain name.

<syntaxhighlight lang="bash"> set type=txt _dmarc.example.com </syntaxhighlight>

You should see output that resembles the following

<syntaxhighlight lang="bash"> _dmarc.example.com text =

    "v=DMARC1;p=none;rua=mailto:[email protected]"

</syntaxhighlight>

Linux and MAC OS X

Type the following command at the command prompt. Replace example.com with your own domain name:

<syntaxhighlight lang="bash"> dig +short txt _dmarc.example.com </syntaxhighlight>

You should see output similar to the following.

<syntaxhighlight lang="bash"> "v=DMARC1; p=none; rua=mailto:[email protected]" </syntaxhighlight>