Product » A free email server for Windows and Linux » Knowledge Base

Document information

Document ID: 5143
Subject: DMARC - What is it and how to use it
Creation date: 8/9/17 4:11 AM
Last modified on: 4/12/22 11:42 AM


DMARC Domain-based Message Authentication, Reporting & Conformance

The purpose of this page is to explain how to use DMARC in Xeams. Visit https://dmarc.org/ to learn more about DMARC.

DMARC builds on top of SPF and DKIM and takes these protocol to the next level. The following table summarizes what each protocol does:

SPFPrevents email forgery by confirming an incoming message came from an IP address designated by the sender. SPF checks the MAIL FROM value in the SMTP Envelope conversation. It does not check the FROM header in the actual message.
DKIMConfirms the content of the message was not modified during transit and the message originated from the sender's domain. This protocol emphasizes on email's domain name rather than the IP address where message came from.
DMARCUnlike SPF, DMARC looks at the FROM header of an email. An incoming email is considered to be "DMARC Aligned" if the domain name of FROM header matches with the domain name of the MAIL FROM value in the envelope. Additionally, it also checks if the domain specified in the FROM header matches with the domain name specified in the DKIM signature.

Aside from checking for message alignment, which prevents forgery, DMARC also provides a mechanism for email servers to report their discovery to other servers on the internet. For example, servers for gmail.com and yahoo.com will send reports once a day to your Xeams explaining how they treated messages that came from your domain.


Three Aspects

There are three aspects of DMARC in Xeams:
  1. Assigning a score to an incoming email from the Internet if DMARC alignment fails.
  2. Process incoming reports from other email servers
  3. Sending reports to other email servers

Assigning Scores

Xeams will check DMARC alignment for every incoming email if DMARC is enabled on your Xeams. This happens even if you do not use DMARC for you own domain. A score is assigned if this alignment fails.

Every domain that publishes a DMARC record in their DNS also configures how a receiving server handle messages if alignment fails. This allows a gradual roll-out of DMARC for a company. When you first decide to use DMARC for your domain, you will not be sure how other email servers will treat your emails if DMARC alignment fails. Therefore, you may want to tell them not to reject any messages if messages from your domain are not aligned. Instead, send you a report letting you know why was DMARC failed, which helps you fine tune your DMARC record in the DNS server. There are three levels of actions when DMARC fails:
  • None - This tells the receiving server to simply ignore DMARC but generate a report letting the sender know about the results.
  • Quarantine - This tells the receiving server to do further filtering before considering the message junk
  • Reject - The receiving server should consider the message junk

Displaying incoming reports

Xeams will automatically handle incoming reports for DMARC and create a summarized view for the administrator. Note that DMARC reports will only be available if you publish a DMARC record for your domain. The report provides the following information:
  • Compliant Message Count - Number of emails that were compliant - meaning DMARC was fully aligned. Besides the count, you can also see the IP addresses where email generated from.
  • Quarantined Message Count - Number of emails that were quarantined by the receiving servers. You will only see a number higher than 0 if your DMARC record policy is set to quarantine.
  • Rejected Message Count - Number of emails that were rejected by the receiving servers. You will only see a number higher than 0 if your DMARC record policy is set to reject.
  • SPF Passed - Contains the number of messages where SPF check passed
  • SPF Failed - Contains the number of messages where SPF check failed
  • DKIM Passed - Contains the number of messages where DKIM check passed
  • DKIM Failed - Contains the number of messages where DKIM check failed or a signature was missing
  • Total Reporters - Lists the domain names of servers on the Internet that sent a report
  • Total Reports - Holds a list of reports sent to your server in the last 15 days.
Inbound reports are automatically processed and displayed when you click DMARC under Filter Management. Most servers send their reports once a day. Therefore, it could take up to 24 hours to see reports after you create a DNS entry for DMARC.

Xeams will display reports for multiple domains if your server handles more than one domain.

Sending outbound reports

In order for Xeams to send out-bound reports, you must check the Reporting Enabled checkbox in DMARC configuration. This option will generate an aggregate report for DMARC that will be sent to other servers on the Internet letting them know how their messages were treated by Xeams.

Using DMARC for your domain

In order to enable DMARC for your domain, you must create a TXT record in your DNS server. Although many tools are available on the Internet that can help you generate a DMARC record, in order to get you going without getting into too many details, we recommend the following value for your DMARC record.

When creating a DNS entry, use _dmarc.yourdomain.com for host name.

Use the following value for the first 90 days:
"v=DMARC1; p=none; rua=mailto:dmarc.rua@yourdomain.com"
Obviously, change the value for yourdomain.com with the appropriate name. This value tells other servers on the Internet to simply monitor DMARC alignment and report them to your Xeams, allowing you to fix problems with your SPF and/or DKIM signatures. Frequently check the report generated by Xeams for your domain to confirm SPF and DKIM are not failing for IP addresses belonging to you.

Other servers on the Internet will send their reports to dmarc.rua@yourdomain.com, which will automatically be handled by Xeams.

Once you are confident SPF and DKIM are not failing for your IP addresses, change the policy to quarantine by modifying your DNS record to:
"v=DMARC1; p=quarantine; rua=mailto:dmarc.rua@yourdomain.com"
Notice the username part (value before the '@' sign) in the email address, which is set to dmarc.rua. This is the default username for emails in Xeams. If you decide to use a different value, ensure you specify that for the User for Aggregate Feedback field in DMARC configuration.

Every domain handled by your Xeams must have identical value for the User for Aggregate Feedback field.

Using DMARC with SMTP Proxy

The acceptance and rejection of any incoming email is delegated to the downstream SMTP server when you use SMTP Proxy Server in Xeams. For example, if you're using MS Exchange as your primary server, it is Exchange that decides if an incoming email is accepted or rejected. Therefore, incoming emails for DMARC will not be accepted until you add a user in your Exchange Server.

You have one of two choices when using SMTP Proxy Server for inbound emails:

  1. Create an account in Exchange for dmarc.rua@yourdomain.com, OR
  2. Use the regular SMTP Server for inbound emails

Important

Do not create any special accounts in Xeams for DMARC. Xeams will automatically handle incoming emails for DMARC.

NOTE

Emails sent to dmarc.rua@yourdomain.com do not affect your license count.

Related Links



User comments

Posted by Glen Ihrig on 9/23/21 10:34 PM

Something missing here is how to configure DNS records to permit "Verifying External Destinations" See: https://datatracker.ietf.org/doc/html/rfc7489#section-7.1


Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users?

Important: This area is reserved for useful tips. Therefore, do not post questions here. Instead, use our public forums to post questions.