Benefits of DMARC

DMARC is an effective tool in fighting spam, the reason it’s effectiveness is  superior then   other forms, like  spam-assassin.

First to understand DMARC is dependent upon  SPF, and DKIM DNS records.  Please see screenshot

Yahoo SPF Pass Check

 

As the screenshots shows,  Yahoo sees  CainTech Services  Mail Server  record and originating point as a permitted legitimate sender, so Yahoo gives the email a pass. Which the  sending email  goes into the receivers inbox.

The other is DKIM Authentication which acts as  a personalized validation  of who the sender of the email is  see screenshot.

DKIM Authentication

 

After  these two  are in place within your DNS Records for  any specific domain the last  thing to put in pace is DMARC. (Domain-based Message Authentication, Reporting & Conformance)

 

DMARC acts as a notifier policy to other email providers  on how to deal with  legitimate and illegitimate  emails. For legitimate  emails  the sender and receiver see no difference, besides the fact there  may as a result be a reduction in email spam. The cause for this, is the fact  spam is never legitimized. (Dropped or bounced back to the spammer.)

 

If in exchange  an email is not validated  by both SPF and DKIM. DMARC records  have a specific action like  such below.

v=DMARC1; p=none; rua=mailto:*protected email*; ruf=mailto:*protected email*; fo=0; adkim=s; aspf=s; pct=100; rf=afrf:iodef; ri=86400; sp=none

The default policies are  none, quarantine, and reject.  The policy of none means  nothing will happen although  email reports will be sent  if  users mark  emails originating from  your email  server as spam, or if an email  is received from  a destination  other then one that you specified. This is evidenced by  the next screenshot.

DMARC XML Record

 

With DMARC records in place,  The best policy to start with is none, so you can actively watch  if there are spammers hijacking your email and domain address. Along with  people marking your email(s) as junk.  Quarantine will mark illegitimate  email by directly placing it into the Junk Mail/Spam Folder. While a Reject policy will  bounce the email back to the spammer or alternatively force any  illegitimate email to be frozen or  unsent.

If you want to cut down on spam, you should mark the policy   as reject. This will also protect  the  email users(s) authenticity since nothing but the  source is trusted  as well noted in a DNS record.  You can see the effect of this in the last screenshot.

Email Header

Logs will appear within your email address like this.

Dmarc Email Reports PM

Lastly, to  finally explain,  how you  get email reports.

rua=mailto:*protected email*; ruf=mailto:*protected email*; fo=0; adkim=s; aspf=s; pct=100; rf=afrf:iodef; ri=86400; sp=none

Both RUA and RUF (F for forensic reports) determine  what type of email reports you receive and it’s contents.

The best website to create DMARC Records is

www.kitterman.com/dmarc/assistant.html

www.kitterman.com/dmarc/assistant.html

www.kitterman.com/spf/validate.html

Then verify the records

DMARC

mxtoolbox.com/dmarc.aspx

DKIM

mxtoolbox.com/dkim.aspx

SPF

mxtoolbox.com/spf.aspx

You can use  my domain(s) as way to verify if they work or  how things operate.

Leave a Reply

Your email address will not be published.