What is DMARC?
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Who Can Use DMARC?
DMARC policies are published in the public Domain Name System (DNS), and available to everyone. Because the specification is available with no licensing or similar restriction, any interested party is free to implement it.
To add a DMARC record, go to your domain’s DNS Management, and add the following TXT record:
_dmarc TXT "v=DMARC1; p=reject; sp=none; rua=mailto:[email protected]"
Be sure to include the whole thing in “quotes”.
The E-Mail Address [email protected] will sometimes be sent reported spam messages by larger providers. Not all services will email this address, but it’s handy if a a client in large email provider clicks “this is spam” for a given message, and you’ll be sent that message, so you can determine if someone on your domain is spamming or spoofing, or if the client incorrectly clicked that message (at which point, you’d probably want to remove that client from your mail-out, as they likely don’t want it).
The rua=mailto:email portion is not mandatory if you don’t want to get these emails.
You can change the values as desired, as per the DMARC specifications:
Google’s DMARC guide:
I wish to automate new DMARC records for all new domains
If you like the above setup, and you want to automate it’s addition to all new dns zones, you can run the following:
cd /usr/local/directadmin/data/templates/custom cp ../dns_txt.conf .
and then add the record you want to the bottom of the custom/dns_txt.conf by running this command:
echo '_dmarc="v=DMARC1; p=reject; sp=none; rua=mailto:[email protected]|DOMAIN|"' >> dns_txt.conf
keeping in mind that this assumes you’ve got a spam-reports account created already.
Spam report example:
<?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>[email protected]</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>4018479800536896246</report_id> <date_range> <begin>1529020800</begin> <end>1529107199</end> </date_range> </report_metadata> <policy_published> <domain>example.com</domain> <adkim>r</adkim> <aspf>r</aspf> <p>reject</p> <sp>none</sp> <pct>100</pct> </policy_published> <record> <row> <source_ip>2a02:7b40:5928:f97::1</source_ip> <count>1</count> <policy_evaluated> <disposition>reject</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>example.com</header_from> </identifiers> <auth_results> <spf> <domain>kvm1.example.com</domain> <result>none</result> </spf> </auth_results> </record> </feedback>