Product » Xeams » Knowledge Base

Document information

Document ID:5143
Subject:DMARC - What is it and how to use it
Creation date:8/9/17 4:11 AM
Last modified on:8/9/17 4:11 AM


DMARC Domain-based Message Authentication, Reporting & Conformance

The purpose of this page is to explain how to use DMARC in Xeams. Visit https://dmarc.org/ to learn more about DMARC.

DMARC builds on top of SPF and DKIM and takes these protocol to the next level. The following table summarizes what each protocol does:

SPFPrevents email forgery by confirming an incoming message came from an IP address designated by the sender. SPF checks the MAIL FROM value in the SMTP Envelope conversation. It does not check the FROM header in the actual message.
DKIMConfirms the content of the message was not modified during transit and the message originated from the sender's domain. This protocol emphasises on email's domain name rather than the IP address where message came from.
DMARCUnlike SPF, DMARC looks at the FROM header of an email. An incoming email is considered to be "DMARC Aligned" if the domain name of FROM header matches with the domain name of the MAIL FROM value in the envelope. Additionally, it also check if the domain specified in the FROM header matches with the domain name specified in the DKIM signature.

Besides checking for message alignment, which prevents forgery, DMARC also provides a mechanism for email servers to report their discovery to other servers on the internet. For example, servers for gmail.com and yahoo.com will send reports once a day to your Xeams explaining how they treated messages that came from your domain.


Three Aspects

There are three aspects of DMARC in Xeams:
  1. Assigning score to an incoming email from the Internet if DMARC alignment fails.
  2. Process incoming reports from other email servers
  3. Sending reports to other email servers

Assigning Scores

Xeams will check DMARC alignment for every incoming email if DMARC is enabled on your Xeams. This happens even if you do not use DMARC for you own domain. A score is assigned if this alignment fails.

Every domain that publishes a DMARC record in their DNS also configures how should a receiving server handle messages if alignment fails. This allows a gradual roll-out of DMARC for a company. When you first decide to use DMARC for your domain, you will not be sure how other email servers will treat your emails if DMARC alignment fails. Therefore, you may want to tell them not to reject any messages if messages from your domain are not aligned. Instead, send you a report letting you know why was DMARC failed, which helps you fine tune your DMARC record in the DNS server. There are three levels of actions when DMARC fails:
  • None - This tells the receiving server to simply ignore DMARC but generate a report letting the sender know about the results.
  • Quarantine - This tells the receiving server to do further filtering before considering the message junk
  • Reject - The receiving server should consider the message junk

Displaying incoming reports

Xeams will automatically handle incoming reports for DMARC and create a summarized view for the administrator. Note that DMARC reports will only be available if you publish a DMARC record for you domain. The report provides the following information:
  • Complaint Message Count - Number of emails that were complaint - meaning DMARC was fully aligned. Besides the count, you can also see the IP addresses where email generated from.
  • Quarantined Message Count - Number of emails that were quarantined by the receiving servers. You will only see a number higher than 0 if your DMARC record policy is set to quarantine.
  • Rejected Message Count - Number of emails that were rejected by the receiving servers. You will only see a number higher than 0 if your DMARC record policy is set to reject.
  • SPF Passed - Contains the number of messages where SPF check passed
  • SPF Failed - Contains the number of messages where SPF check failed
  • DKIM Passed - Contains the number of messages where DKIM check passed
  • DKIM Failed - Contains the number of messages where DKIM check failed or a signature was missing
  • Total Reporters - Lists the domain names of servers on the Internet that sent a report
  • Total Reports - Holds a list of reports sent to your server in the last 15 days.

Sending out-bound reports

In order for Xeams to send out-bound reports, you must check the Reporting Enabled checkbox in DMARC configuration. This option will generate an aggregate report for DMARC that will be sent to other servers on the Internet letting them know how their messages were treated by Xeams.

Using DMARC for you domain

In order to enable DMARC for you domain, you must create a TXT record in your DNS server. Although many tools are available on the Internet that can help you generate a DMARC record, in order to get you going without getting into too many details, we recommend the following value for your DMARC record.

When creating a DNS entry, use _dmarc.yourdomain.com for host name.

Use the following value for the first 90 days:
"v=DMARC1; p=none; rua=mailto:dmarc.rua@yourdomain.com"
Obviously, change the value for yourdomain.com with appropriate name. This value tells other servers on the Internet to simply monitor DMARC alignment and report them to your Xeams, allowing you to fix problems with your SPF and/or DKIM signatures. Frequently check the report generated by Xeams for your domain to confirm SPF and DKIM are not failing for IP addresses belonging to you.

Other servers on the Internet will send their reports to dmarc.rua@yourdomain.com, which will automatically be handled by Xeams.

Once you are confident SPF and DKIM are not failing for your IP addresses, change the policy to quarantine by modifying your DNS record to:
"v=DMARC1; p=quarantine; rua=mailto:dmarc.rua@yourdomain.com"

Related Links





Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users? Please add it below. Your name and tip will appear at the end of the document text.
Your name:
Your email:
Hide my email address
Verification code:
Enter the verification code you see above more submitting your tip
Tip:Please limit tips to 1000 characters