Git/email-toolbox-wiki
1
0
Fork 0
mirror of https://github.com/internetstandards/toolbox-wiki.git synced 2024-11-22 02:51:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
fcc2300b97
email-toolbox-wiki/DMARC-how-to.md
Dennis Baaten a1443d255e
Update DMARC-how-to.md
2019-08-22 13:35:39 +02:00

3.0 KiB
Raw Blame History

Table of contents

Introduction

This how-to is created by the Dutch Internet Standards Platform (the organization behind internet.nl) and is meant to provide practical information and guidance on implementing DMARC.

What is DMARC?

DMARC is short for Domain based Message Authentication, Reporting and Conformance and is described in RFC 7489. With DMARC the owner of a domain can, by means of a DNS record, publish a policy that states how to handle e-mail (deliver, quarantine, reject) which is not properly authenticated using SPF and/or DKIM.

At the same time DMARC also provides the means for receiving reports which allows a domain's administrator to detect whether their domainname is used for phishing or spam.

Why use DMARC?

Before DMARC, organizations already took several measures to determine the authenticity of an e-mail (like SPF and DKIM) to reduce the received amount of SPAM to a minimum. This is basically a good thing, but if these measures fail to choose whether or not an email is SPAM with a high level of certainty, the choice is redirected to the addressee (receiving party). This methodology is prone to abuse, since users are generally not equiped with the knowledge and/or means to classify incoming emails.

DMARC addresses this problem and enables the owner of a domain to take explicit responsiblity with regard to the actions taken by the sending party when the validity of an incoming email cannot be determined.

Tips, tricks and notices for implementation

  • Interoperabily issues: https://tools.ietf.org/html/rfc7960
  • DMARC does not require both DKIM or SPF.
  • Parked domain: “DMARC p=reject”. Make sure to include rua and ruf addresses, since this allows monitoring of possible abuse attempts.
  • RFC 7489 states that the tags dmarc-version ("v=") and dmarc-request ("p=") should be on the first and second position of the DMARC record. The order of the other tags does not matter: "components other than dmarc-version and dmarc-request may appear in any order".
  • Errata 5440 of RFC 7489 states that a semicolon should be included in the DMARC version tag. Correct: "v=DMARC1;". Incorrect: "v=DMARC1".

Creating a DMARC record

The DMARC policy is published by means of DNS TXT record. Overview

rua: aggregate reports ruf: forensic reports

DMARC configuration tag Required? Value(s) Explanation
v mandatory DMARC1;
p mandatory none
quaritine
reject
rua optional rua@example.nl This field contains an e-mail address
ruf optional ruf@example.nl This field contains an e-mail address
fo mandatory 0
1
s
d		 reporting oprions for
adkim optional s
r
aspf optional s
r
pct optional
rf optional
ri optional
sp optional