DMARC
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email standard designed to help prevent email spoofing/phishing when used in conjunction with SPF and/or DKIM Certificate Generation. Additionally, DMARC gives the administrator the option to set the handling for the receiving server to handle the messages which fail the DMARC check. DMARC also provides the tools for domain owners to monitor the abuse of their domains.
We highly recommend configuring DMARC DNS records on domains especially if your domain is the target of spoofed emails. If you are unclear on how to setup DNS records please consult your DNS provider.
- Does Mail Assure Support DMARC?
- How Does DMARC Work?
- How to Set up a DMARC Record?
- Configuring DMARC Checks in Mail Assure
- Skip Specific Domains from DMARC Checks
Does Mail Assure Support DMARC?
Yes, Mail Assure fully supports DMARC on all incoming mail. Outgoing DMARC conformity is handled by the domain DNS administrator. No DMARC checks are enforced on outgoing email by the outgoing filter (the incoming recipient may still DMARC filter the message).
How Does DMARC Work?
DMARC works by allowing the domain administrator to specify the actions that should be taken when a spoofing message is received. It also allows for reporting of spoofing attempts. More information on how DMARC works can be found here:
- https://dmarc.org/wiki/FAQ
- RFC 7489 - Full technical specifications of the DMARC internet standards
How to Set up a DMARC Record?
DMARC records are set up in the domain's DNS (Domain Name Server). When you set up your DMARC record you choose the policy type (reject, quarantine, none). This record tells the server what should happen to messages that fail SPF/DKIM checks.
The following online tools may help you:
- https://kitterman.com/dmarc/assistant.html - allows you to build your DMARC record which you can then add to your DNS.
- https://dmarc.org/resources/deployment-tools/
Configuring DMARC Checks in Mail Assure
DMARC checks are enabled by default, we do not recommend disabling these.
To alter the DMARC checks within the Mail Assure filter:
- In the Domain Level Control Panel, select Incoming - Protection Settings > Filter Settings
- In the Sender checks panel, ensure the DMARC option is ticked to have the checks enabled, or unticked to disable all DMARC checking:
- Click Save
Skip Specific Domains from DMARC Checks
At times you may need to skip this check for a specific sending domain so that any messages claiming to be from that domain (both SMTP sender address and header from address) will bypass the DMARC check. This can be done like SPF and DKIM check disabling:
- In the Domain Level Control Panel, select Incoming - Protection Settings > Filter Settings
- Click the Manage list of domains and IP addresses with disabled SPF, DKIM, and DMARC checks link at the top of the page
- Navigate to the Disabled DMARC Domains tab
- In the Add a Domain panel, enter the domain name in the Domain field and click Add
Any messages claiming to be from that domain (both SMTP sender address and header from address) will now bypass the DMARC check
Entering your own domains in this field will dramatically increase the risk of receiving a malicious message with spoofed from addresses.