Overview
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to give domain owners control over how unauthenticated email is handled. It also provides valuable reporting on email activity and potential abuse. With DMARC enabled, the email address(es) your specify will receive regular aggregate reports from other email service providers regarding illegitimate email they have encountered which has attempted to impersonate your domain.
Why Use DMARC?
Protects your domain from spoofing and phishing.
Improves email deliverability and trust.
Provides visibility into how your domain is used across the internet.
How DMARC Works
DMARC uses a DNS TXT record to define a policy for handling messages that fail SPF or DKIM checks. It also specifies where to send reports about email authentication results.
Example DMARC Record
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100
This record instructs mail servers to quarantine messages that fail SPF or DKIM authentication and send aggregate reports to the specified email address.
DMARC Setup with Webnames.ca
First, set up SPF and DKIM for your domain.
Use our DMARC Wizard to create a policy specifying how to handle emails that fail SPF checks.
Publish the DMARC record in your domain’s DNS records.
Webnames.ca DMARC Wizard
Our DMARC Wizard is available to all Webnames.ca email customers via the Email tab of their domain management page.
Policy Options
none: Monitor only; take no action on failed messages
quarantine: Treat failed messages as suspicious (e.g., send to spam).
reject: Block messages that fail authentication.
Reporting Options
rua: Aggregate reports (recommended for monitoring).
ruf: Forensic reports (less commonly used due to privacy concerns).
Reporting URI Aggregate
Aggregate Report URI – Comma-separated list of email addresses to which aggregate reports (daily summaries) are to be sent.
Reporting URI Failure
Forensic Report URI – Comma-separated list of email addresses to which detailed failure reports are to be sent
Failure Options
0: Generate a DMARC failure report if all underlying authentication mechanisms fail to produce an aligned "pass" result.
1: Generate a DMARC failure report if any underlying authentication mechanism produced something other than an aligned "pass" result.
d: Generate a DKIM failure report if the message had a signature that failed evaluation, regardless of its alignment. DKIM-specific reporting is described in [AFRF-DKIM].
s: Generate an SPF failure report if the message failed SPF evaluation, regardless of its alignment. SPF-specific reporting is described in [AFRF-SPF].
Subdomain Policy
none or match: Requested Mail Receiver policy for all subdomains
Alignment DKIM
Strict or Relaxed: DKIM Alignment Mode
Alignment SPF
Strict or Relaxed: SPF Alignment Mode
Comparison of Strict vs Relaxed
Comparison of Strict vs Relaxed
Aspect | Strict Alignment | Relaxed Alignment |
Domain Match | Requires exact domain match in “From” address and SPF/DKIM authentication | Requires match at the organizational level, allowing different subdomains |
Security Level | Higher, due to stringent authentication | Slightly lower, due to more lenient authentication |
Best Suited For | Organizations with high security needs like financial institutions, government bodies | Organizations using multiple subdomains or third-party email services |
Flexibility | Less flexible, may lead to false positives | More flexible, accommodating a range of email practices |
Risk of Spoofing | Lower, as it leaves little room for impersonation | Slightly higher, due to lenient domain matching criteria |
Reporting Interval
Reporting Interval between aggregate reports (in seconds)
Percent
0-100: Percentage of messages to apply policy to
Reporting Format
Format to be used for message-specific failure reports.
Implementation Recommendations
Begin by creating a DMARC record with Policy enforcement set to none (p=none;). This will allow you to start receiving reports without risking messages from your domain being rejected or marked as spam by receiving servers. We suggest using this record for a minimum of one week, as this is usually sufficient time for the daily reports to contain data that is representative of all your mail streams. After monitoring DMARC reports for at least a week with no adverse results, update your policy to quarantine (p=quarantine;), or the more strict policy of reject (p=reject;) .
Propagation and Enforcement
DMARC records typically propagate within 4–6 hours. Enforcement begins once the record is detected and validated.
Applying DMARC to DNS
Webnames DNS Customers
In all instances where Webnames.ca provides DNS services for the domain (including domains which are parked, forwarded, have Webnames or Wix web hosting, or have dedicated Advanced or Premium DNS services), clicking the Apply button within the DMARC Wizard will insert the crafted DNS record into the domain name's DNS. No further action is required.
Third-Party DNS Customers
In instances where another company is providing DNS services for the domain name, then the record values produced by the DMARC Wizard must manually be copy and pasted into the other company's DNS Hosting management interface. The location and layout of this interface will differ from one provider to another. Generally however, these are the required parameters:Record Type: TXT
Record Hostname: _dmarc.yourdomain.ca
Record SOA: default
Record Value: Copy and paste from the DMARC Wizard