1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Manage DMARC records
This guide explains how to put in place a DMARC policy for your email hosted by Infomaniak, an element that has become indispensable to prevent possible routing malfunctions.
Preamble
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an essential tool to enhance email security and protect your domain from fraud by verifying the authenticity of outgoing emails (through authentication mechanisms such as SPF and DKIM) and by enabling policies to be defined for the processing of unauthenticated e-mails.
- DMARC exists to specify to other mail providers what they have to do when they reject an e-mail because of the FPS or DKIM that would be incorrect or absent.
- For this, domain owners can define DMARC policies, such as " reject", " quarantine" or " Nothing.", to specify how these "suspect" emails should be processed. Example:
- An e-mail is sent from anna@domain.xyz victor@yahoogle.abc.
- The Mail Service of domain.xyz contains a 100% reject DMARC configuration.
- The Mail Service of yahoogle.abc is well secured and performs the analysis SPF/DKIM/DMARC of the incoming mail from domain.xyz.
- If this analysis leads to a failure of the SPF or DKIM, then the Service Mail of yahoogle.abc will reject (so delete) the message.
- He'll send a report by e-mail if a report address is specified in the DMARC of domain.xyz.
- These DMARC reports generated help you maintain and improve the security of your domain, allowing you to identify potential authentication errors and phishing attempts using your domain.
DMARC policy and acceptance percentage
For orders that it is possible to give to the recipient servers when a suspicious message is detected, 3 policies (p
= policy) exist and can be refined with a percentage (pct
):
none
With "p=none
", no e-mail is rejected or quarantined according to the DMARC verification. However, the percentage of receipt can be used to collect data on unauthenticated e-mails, indicating how many of these e-mails must be submitted to the DMARC policy. e.g. "p=none; pct=10
" means that 10% of unauthenticated e-mails will be subject to the DMARC policy, while the remaining 90% will be accepted.
quarantine
With "p=quarantine
", unauthenticated e-mails may be quarantined, but the percentage of receipt determines the proportion actually subject to this policy. e.g. "p=quarantine; pct=50
" means that 50% of unauthenticated e-mails will be quarantined, while the remaining 50% will be accepted.
reject
With "p=reject
", unauthenticated e-mails are rejected. The percentage of receipt determines the proportion of unauthenticated e-mails that will actually be rejected. e.g. "p=reject; pct=20
" means that 20% of unauthenticated e-mails will be rejected, while the remaining 80% will be accepted.
Create a DMARC registration
There are two ways to manage the DMARC.
If you have an e-mail service with Infomaniak, the easiest way is to get to the e-mail tool. Global security to manage your DMARC security policy and reports:
But the DMARC registration being a type of DNS registration, usually of type TXT, you can also manage it from the DNS area of the domain name:
- Click here in order to access the management of your product on the Manager Infomaniak (Need help?).
- Click directly on the nameallocated to the product concerned.
- Click on DNS area in the left side menu.
- Click the button to add a record:
- Click on the radio button DMARC to add a record.
- Click on the button Next:
- Leave (or add if necessary) the value
_dmarc
in the field Source. The field Target must contain the parameters you wish to use, separated by
;
:Tag name Purpose Example v Protocol version v=DMARC1
pct Percentage of messages subject to filtering pct=20
ruf URI report for forensic reports ruf=mailto:authfail@domain.xyz
rua Reporting URI for aggregate reports rua=mailto:aggrep@domain.xyz
p Policy for the organizational field p=quarantine
sp Policy for organizational sub-domains sp=reject
adkim Alignment mode for DKIM adkim=s
aspf Alignment mode for SPF aspf=r
which can give e.g.
v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com
(source)- Leave the default value at the TTL level.
- Click on the button Save: