There is a DNS entry called “DMARC” which stands for Domain-based Message Authentication Reporting and Conformance. DMARC is an email validation system designed to protect your email domain from being used for email spoofing. By configuring DMARC, you reduce the risk of malicious actors trying to send an email that “looks” like it is from your domain, but isn’t actually coming from your domain.
DMARC adds a reporting feature to email sending, allowing an email address to be specified for receiving email providers to send back reports. These reports help to diagnose issues by understanding what the receiving provider is understanding.
DMARC is not a quick fix for your email not being delivered to desired recipients. Additionally, DMARC policy does nothing for incoming mail to your server.
Each web hosting provider is going to have a different process for generating a DMARC TXT record, but we’ll give our process here.
How do I setup a DMARC TXT Record?
- Sign into the DirectAdmin control panel (details were sent in your service purchase email)
- Click on Account Manager
- If you have a Reseller Hosting service with us, you’ll need to switch your view to User instead of Reseller.
- Click DNS Management
- Check if you already have a TXT record starting with “v=spf1” .. if so, reconfigure that using the pencil icon on the right.
- If not, then click the Add Record button at the top-left of the DNS entries.
- Choose record type: TXT
- Leave the name field set to your primary domain
- Leave the TTL (Time To Live) as the default 3600, unless you have received specific directions to change it.
- Change TXT Record Type to DMARC.
- Domain Policy Type: Select None, Reject, or Quarantine
- None: This is referred to as a monitoring policy, enabling you to inspect and analyze your email channels as they develop. It is recommended to start with None initially.
- Reject: If the email fails to pass the authentication, then the email will be stopped, not delivered to the intended recipient, and an email will be sent back to the sender notifying them of a failed delivery.
- Quarantine: If the email fails to pass authentication, the email will either be held for release (if a email filter is setup) or will be sent to spam/junk folder.
- Subdomain Policy Type: exactly the same as step 9, but specific to any of your subdomains.
- Recommendation: Set this to “Same as domain” so that you’re only configuring one policy, not multiple.
- Aggregate Email (RUA): Specify an email address you would like the DMARC reports sent to. This provides an overview of email traffic and includes all IP address that have attempted to transmit email to a receiver using your domain name.
- More information on aggregate DMARC reports can be found here: https://www.dmarcanalyzer.com/dmarc-aggregate-reports/
- Forensic Email (RUF): You will receive these emails in near real-time, they are only sent in case of failures, includes the original message headers and may include the original message for context.
- You can find more information on forensic DMARC reports here: https://www.dmarcanalyzer.com/forensic-dmarc-reports-explained/
- Report Format: Select either Authentication Failure Reporting Format (AFRF) or Incident Object Description Exchange Format (IODEF).
- NOTE: Currently, only AFRF report formats are accepted; records that indicate anything else may be ignored entirely.
- Reporting Interval: 86400 (it’s the default). Leave this alone unless you want to specify a longer time-frame for delivering the aggregate emails. Shortening this window is not great and may cause issues with other email providers.
- Percentage: This is the percentage of email that should be inspected by the receiving email provider.
- Alignment mode for DKIM: Relaxed or Strict & Alignment mode for SPF: Relaxed or Strict
- Alignment mode (referred to as “aspf” and “adkim”) refers to the precision with which sender records are compared to the SPF and DKIM records that are already in-place. Relaxed alignment allows for partial matches of the domain, such as subdomains. Strict alignment requires an exact match, anything else will be rejected causing the email to not be delivered properly. This applies to both alignment for SPF and DKIM.
- Value: this is where the final composed version of the DMARC TXT record is generated.
How should I deploy the DMARC policy?
This is a question that some may be concerned with, and you should be too. You want to ensure that you are setting yourself, your domain, and your business reputation up for success. Failing to apply the DMARC policy in a conservative manner, gradually increasing the strictness, may cause your emails to immediately be sent to spam/junk folders, hindering your email deliverability.
An example of a conservative DMARC deployment cycle might resemble the following:
- Monitor all. (domain policy = none, percentage = [blank])
- Quarantine 1%. (domain policy = quarantine, percentage = 1)
- Quarantine 5%. (domain policy = quarantine, percentage = 5)
- Quarantine 10%. (domain policy = quarantine, percentage = 10)
- Quarantine 25%. (domain policy = quarantine, percentage = 25)
- Quarantine 50%. (domain policy = quarantine, percentage = 50)
- Quarantine all. (domain policy = quarantine, percentage = 100)
- Reject 1%. (domain policy = reject, percentage = 1)
- Reject 5%. (domain policy = reject, percentage = 5)
- Reject 10%. (domain policy = reject, percentage = 10)
- Reject 25%. (domain policy = reject, percentage = 25)
- Reject 50%. (domain policy = reject, percentage = 50)
- Reject all. (domain policy = reject, percentage = 100)
This has been the third of a four-part series on improving your email deliverability. These first three parts of this series are focused on what are mostly “quick wins”, dealing with configurations and getting things set up. In part 4, I discuss IP reputation and the issues that come with it. If you are stuck, please feel free to reach out to us either through a support ticket or by email ([email protected]).
By Jack Burns
on 7 Oct 2021 0 Categories / Email Troubleshooting, DirectAdmin, Email, Troubleshooting Tags: dkim, dmarc, dns, e-mail, e-mail deliverability, email, email deliverability, junk, spam, spf