DMARC Tutorial

How to set up DNS DMARC record | Protect Your Doman

Author: Emad Zaamout

Sunday, October 17, 2021

Table of Contents

  1. Introduction
  2. What is DMARC?
  3. DMARC - Aggregate Report (RUA)
  4. DMARC - Forensic Report (RUF)
  5. How to create a DMARC Record?
  6. DMARC Tags Table
  7. What is an SPF Record?
  8. SPF Record – Qualifiers
  9. SPF Record – Mechanism

Introduction

Welcome back

In this tutorial, were going to cover SPF, DKIM and DMARC records.

If you own a domain, it’s very important that you have those records setup to prevent email spoofing, fraud and to prevent your emails from being marked spam.

Finally, I will show you how you can obtain both your free Aggregate and Forensic Reports so you could monitor emails sent from your domain.

This is a DNS course, so you should be comfortable adding DNS records to your Domain such as TXT record.

Before we get started, don’t forget to subscribe to our channel to stay up to date with our latest training videos.

What is DMARC?

DMARC stands for Domain-Based Message Authentication Reporting & Conformance.

DMARC was first published in 2012; It is a protocol built by Google, Microsoft, Yahoo and PayPal to prevent email abuse. It is supported by all major mail service providers (if not all).

DMARC is used to determine the authenticity of an email message. It lets you control who can send emails using your domain and allows you to set various instructions for the receiving email server.

To get started with DMARC, you must have both your SPF and DKIM records set.

DMARC record is a TXT record that defines what an email receiver should do with mail sent on your domain behalf that is not aligned with your domain policy.

The DMARC record is a TXT record that is added to your domain DNS; It basically includes instructions for the receiving email server on how to handle mail sent under your domain that does not align with your Policies.

We can also specify inside our DMARC TXT record, an email address so that we can receive 2 very important reports:

  1. DMARC - Aggregate Report (RUA).

  2. DMARC - Forensic Report (RUA).

What is DMARC Aggregate Report (RUA

A DMARC aggregate report contains information about the authentication status of messages sent on your domain behalf. Aggregate reports are free reports that are sent to you and contain information such as:

  • Source that sent the message

  • Domain that was used to send the message.

  • Sending IP address.

  • Number of messages sent on a specific date.

  • DKIM/SPF sending domain.

  • DKIM/SPF authentication result.

  • DMARC results.

What is DMARC Forensic Report (RUA)

A DMARC Forensic report are generated when the SPF or DKIM do not align with your DMARC.

Forensic reports are free reports sent to you ONLY when an email sent by your domain fails DMARC authentication. It contains information such as:

  • The email “to” field.

  • The email “from” field. (From address, Mail from address, DKIM from address).

  • IP address of the sender.

  • The email “Subject” field.

  • Authentication Result (SPF, DKIM, DMARC).

  • Message ID.

  • URLs.

  • Delivery Result.

  • ISP Information.

How to create a DMARC Record?

You create a DMARC record by creating a TXT record for your domain named “_dmarc”. For example, if your domain name is ahtcloud.com, then your DMARC TXT record name is: _dmarc.ahtcloud.com

For example, this a DMARC record: "v=DMARC1;p=reject;pct=100;rua=mailto:support@ahtcloud.com;ruf=mailto:support@ahtcloud.com; fo=1; adkim=s; aspf=s;"

The syntax for DMARC record, is basically a combination of tags separated by a semicolon.

“tag=value;tag=value;”

At the bare minimum, your DMARC record will look like this: "v=DMARC1;p=reject;”.

The “v” tag specifies the DMARC protocol version. There is only 1 DMARC version available which is DMARC1. This is a required field so you should always include it.

The “p” tag allows you to specify how you want mail service providers to handle emails that are sent using your domain identity but are not aligned with your policy.

You have 3 options. Do nothing, set p = 0. Or to quarantine or reject the email. I highly recommend you set it to reject the email to prevent anyone from sending emails using your domain name.

Both the “v” and “p” tags are required. N ow we will cover all the optional tags.

The “sp” tag is an optional tag. Like the “p” tag, it allows you to specific your policy but for subdomains. If you don’t include this, then the value to specified inside your “p” tag will be used.

The “pct” tag, is an optional tag. It allows you to specify the percentage of email messages in which your stated DMARC policy applies for. The values can be anywhere from 1 to 100. I always recommend you set it to 100%. This tells the email receiver to reject 100% of emails that fail DMARC authentication.

The “rua” tag, is also an optional tag. It allows you to specify an email address or addresses to receive DMARC Aggregate Feedback reports too. I cannot emphasize how important it is to have this field set up. Even if your domain does not send emails, you should always set this record so you could get insights into domain spoofing or phishing attacks that impersonates your domain. You can specify multiple emails by separating them with a comma.

I always recommend you have this tag set. The value of the “rua” tag, can be any valid email address.

The “ruf” tag, is also an optional tag. It’s like the “rua” tag but allows you to specific any email address or addresses to receive your DMARC Forensic reports too. I always recommend you have this tag as well even if your domain is not sending emails. The Forensic reports are sent to you when someone attempts to send an email impersonating your domain and it fails your DMARC and DKIM authentication. It instructs the email service providers to send you a copy of that email.

The “fo” is an optional tag. It allows you to tell email service providers that you want email samples if the emails failed. You have 4 options.

  1. The 0 value generates report if all authentication mechanisms fail. This means both your SPF and DKIM policy fails.

  2. The 1 value generates reports if any of your authentication mechanisms fail. SPF OR DKIM.

  3. The d value generates reports if only your DMARC failed

  4. The s generates reports of any SPF failure.

You can specific multiple values by separating them with a colon.

I personally recommend you set the “fo” tag to 1 so you can receive a copy of any email sent on your behalf that fails for either SPF or DMARC authentication.

The “aspf” tag, is an optional tag. You can use this tag to speficiy if you want to set your SPF policy to strict or relaxed. By default, if you don’t include this option its set to strict, which is the best option. Remember guys, your SPF policy basically makes sure all emails sent using your domain are authorized to send.

The “adkim” tag is identical to the “aspf”, but its form your DKIM policy.

The “rf” tag, is an optional tag. Honestly, at this point, its useless to include. This tag allows you to specify the DMARC Forensic report format. Theres only 1 value, which is afrf. This is used by default. You shouldn’t need to include this. But this could change in the future maybe if more report types are added.

The last available tag you can use, is the “ri” tag. This is also an optional tag. The “ri” tag allows you to specify the aggregate report interval in seconds. The minimum and default value is 86400 seconds which equates to 24 hours. This means, every 24 hours you will receive a DMARC Aggregate report. I recommend you keep it at the minimum.

DMARC Tags Table

Tag Description Example

v

Required

DMARC Protocol version.

v=DMARC1

p

Required

Indicates policy for the email receiver how to handle messages that fail DMARC.

p=none

p=quarantine

p=reject

sp

Optional

Like “p” (above) but for subdomains.

sp=none

sp=quarantine

sp=reject

pct

Optional

Percentage of messages to which DMARC policy is to be applied

p=100

rua

Optional

Indicates where aggregate DMARC reports should be sent to.

rua=mailto:emailaddress

ruf

Optional

Indicates where Forensic DMARC reports should be sent to.

ruf=mailto:emailaddress

fo

Optional

Let’s email providers know you want message samples of emails that fail SPF and/or DKIM. 4 Values:

0: Generate a DMARC failure report if all authentication mechanism fails (SPF and DKIM). (Default).

1: Generate a DMARC failure report if any authentication mechanism fails (SPF or DKIM). (Default).

d: generate DKIMN failure report for DKIM failures.

S: Generate SPF failure report for SPF failures.

fo:0

fo:1

fo:d

fo:s

(or multiple) fo:0:1:d:s

aspf

Optional

Strict or relaxed SPF policy.

aspf=r

aspf=s

adkim

Optional

Strict or relaxed DKIM policy.

adkim=r

adkim=s

rf

Optional

Forensic Reporting Format. Set by default. Only 1 option available

rf=afrf

ri

Optional

Aggregate Reports interval. Value in seconds. Specify the interval between when reports should be sent. Default is 86,400 seconds (24 hours, Minimum Value).

ri=86400

sp

Optional

Like “p” (above) but for subdomains.

sp=none

sp=quarantine

sp=reject

Other Posts

GIT Crash Course using Bitbucket By Emad Zaamout

Saturday October 24, 2021

Git Tutorial - Git Crash Course using BitBucket

Author: Emad Zaamout
What is AWS Elastic Load Balancer By Emad Zaamout

Monday October 18, 2021

AWS Elastic Load Balancing

Author: Emad Zaamout
DMARC SPF DKIM Course By Emad Zaamout

Saturday October 16, 2021

Email DNS Master Course - SPF + DKIM + DMARC

Author: Emad Zaamout
Email SPF Record Tutorial – Sender Policy Framework (SPF) | Prevent Email Spoofing | DNS Course By Emad Zaamout

Saturday October 16, 2021

Email SPF Record Tutorial – Sender Policy Framework (SPF) | Prevent Email Spoofing | DNS Course

Author: Emad Zaamout
DMARC Tutorial - How to set up DNS DMARC record | Protect Your Doman By Emad Zaamout

Saturday October 16, 2021

DMARC Tutorial - How to set up DNS DMARC record | Protect Your Doman

Author: Emad Zaamout
Git Hooks Crash Course

Sunday, September, 2021 (MDT)

Git Hooks Crash Course

Author: Emad Zaamout
Laravel CI\CD using AWS RDS EC2 S3 CodeDeploy BitBucket By Emad Zaamout

Friday, September 17, 2021 (MDT)

Laravel DevOps Tutorial - Laravel Deployment Automation CI\CD using AWS RDS EC2 S3 CodeDeploy BitBucket

Author: Emad Zaamout
Deploy any Laravel app in AWS (Amazon Web Services) By Emad Zaamout

Monday, April 19, 2021 (MDT)

Deploy any Laravel App in AWS (Amazon Web Services)

Author: Emad Zaamout
Fisher Yates Shuffle Algorithm Implementation? By Emad Zaamout

Saturday, September 26, 2020 (MDT)

Find out the secrets, tips and tricks to ranking number 1 on Google.

Author: Emad Zaamout
Fisher Yates Shuffle Algorithm Implementation? By Emad Zaamout

Saturday, September 26, 2020 (MDT)

Fisher - Yates Shuffle Algorithm Implementation

Author: Emad Zaamout
What Is an Ecommerce Website & How to Get Started (2020 guide)? By Emad Zaamout

Saturday, September 26, 2020 (MDT)

What Is an Ecommerce Website & How to Get Started (2020 guide)?

Author: Emad Zaamout
5 Reasons Why You Need A Website Calgary Website Design Company AHT Cloud

Thursday, May 7, 2020

5 Reasons Why You Need A Website

Author: Emad Zaamout
Whats Involved in Creating a Unique Custom Website? By Emad Zaamout

Thursday, May 7, 2020

Whats Involved in Creating a Unique Custom Website?

Author: Emad Zaamout
SEO Checklist By Emad Zaamout

Thursday, May 7, 2020

SEO CHECKLIST

Author: Emad Zaamout

GET YOUR FREE ESTIMATE

CONTACT US TODAY FOR YOUR FREE CONSULTATION!


Contact us today to discuss your goals and we will create a simple roadmap to get you there. We look forward to speaking with you!

Main Office

Phone:   1 587-834-6567
Email:   support@ahtcloud.com
32 Westwinds Crescent NE #130
Calgary, AB T3J 5L3, CA


Products

TMS
Cloud Based Transportation Management System


https://www.ahttms.com
https://www.cloud.ahttms.com

Hours Of Operation

Monday 8:00 am - 5:00 pm
Tuesday 8:00 am - 5:00 pm
Wednesday 8:00 am - 5:00 pm
Thursday 8:00 am - 5:00 pm
Friday 8:00 am - 5:00 pm
Saturday Closed
Sunday Closed