This topic describes what Domain-based Message Authentication, Reporting, and Conformance (DMARC) is and how to set a DMARC record.
DMARC
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. By setting a DMARC record, you can prevent others from spoofing your domain name and receive reports about these spoofing attempts.
When a recipient receives an email from your domain name, the recipient's Mail Transfer Agent (MTA) performs a DMARC check if it supports the DMARC protocol. If the check fails, a report is sent to the mailbox specified in the DMARC record.
Parameters
TXT="v=DMARC1; p=quarantine; pct=0; ri=3600; rua=mailto:abc@example.net; ruf=mailto:abc@example.net"p: Specifies the action that the recipient should take when a spoofed email is detected. Valid values are none, quarantine, and reject.
p=none: Accepts all emails from your domain name, even if they fail DMARC authentication.
p=quarantine: Quarantines a portion of the emails, which are typically moved to the spam folder. You can use this with the pct parameter (the default is 100) to set the percentage of emails to be quarantined if they fail DMARC authentication.
p=reject: Enforces a strict policy. Rejects all emails that fail authentication.
rua: Specifies the mailbox to receive aggregate reports from recipient service providers.
ruf: Specifies the mailbox to receive detailed reports about rejected emails from recipient service providers.
sp: Specifies the policy for subdomains. This parameter is similar to the p parameter. If you configure a DMARC policy with the sp parameter for a primary domain name, the policy also applies to its subdomains.
ri: Specifies the requested interval in seconds between aggregate reports. This parameter is an optional 32-bit unsigned integer with a default value of 86400. The value indicates the maximum interval for recipients to generate aggregate reports.
adkim: Specifies the alignment mode for DKIM. The default value is r (relaxed). You can also set the value to s (strict). Relaxed mode allows subdomains, while strict mode requires an exact match.
aspf: Specifies the alignment mode for SPF. The default value is r (relaxed). You can also set the value to s (strict). Relaxed mode allows subdomains, while strict mode requires an exact match.
v: Specifies the version. This parameter is required. The value must be DMARC1, and this tag must be the first in the record.
fo: Specifies the failure reporting options. This parameter is optional, and the default value is 0. The value is a colon-separated list. This tag is ignored if the ruf tag is not specified. For observation and testing, you can use this tag with p=none. If you set this tag to 1, a report is generated if the email fails either the SPF or DKIM check.
3. How to configure
1. Before you set a DMARC record, make sure that you have set a Sender Policy Framework (SPF) record that includes "v=spf1 include the following:spf1.dm.aliyun.com -all", or that you have configured the DomainKeys Identified Mail (DKIM) protocol with the value provided in the console.
2. After you set the SPF record, you can set the DMARC record as follows:
Managing domain name resolution | Record Type | Record Value |
_dmarc | TXT | v=DMARC1; p=quarantine; rua=mailto:dmarc_report@service.aliyun.com |
Important
In the record value, "dmarc_report@service.aliyun.com" is the default mailbox that Direct Mail uses to collect DMARC reports. To view DMARC reports, you must specify a mailbox in your organization that can send and receive emails. You can use a mailbox on a subdomain.
If your domain name was not purchased from Alibaba Cloud, contact your domain name provider for instructions on how to add the record.
Procedure
The following steps use Alibaba Cloud DNS as an example:
1. Log on to the Alibaba Cloud DNS console. From the list of domain names, find the domain name that you want to manage and click Resolve Settings.
2. On the Resolve Settings page, click Add Record. Enter the record information and click OK.
Example:
Record Type: TXT
Host: @
The following figure shows an example of how to add a DMARC record.
How to query a DMARC record
You can use the `dig` or `nslookup` command to query the DMARC record.
Linux: % dig _dmarc.your_domain_name txt
Windows: nslookup -qt=TXT _dmarc.your_domain_name