Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

What is a DMARC record and how do I create it on DNS server?

03/26/2020 1,248 People found this article helpful 215,291 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Before creating DMARC records it's a good idea to test DKIM and SPF. Testing can be found here: https://dmarcguide.globalcyberalliance.org/#/

    Prerequisites:

    • Creating SPF record
    • Creating DKIM record

    Resolution

    Create the record:

    DMARC is designed to give receivers of email better judgment control  based on sending domain reputations.  It provides a platform where the sending side can publish policies to improve effectiveness against spam and phishing, in effect building domain reputations. This helps to provide guidelines on how to address messages that do not align according to those policies published by the sending domains.
     
    DMARC was aimed at:

    • Reducing false negatives
    • Providing authentication reports
    • Apply sender policies at the receiving end
    • Reduce phishing
    • Be scalable

    In order to get started with DMARC, the sending domain needs to have an SPF and DKIM record published. Once the SPF and DKIM records are in place, you can configure DMARC by adding policies to your domain’s TXT records (the same way in which you published your SPF and DKIM records).  Your TXT record name should read something similar to “_dmarc.your_domain.com.”  Please replace the “your_domain.com” with your own domain.

    As DMARC policies are published as TXT records, it defines what an email receiver should do with non-aligned mail it receives.

    A DMARC record's name when creating a TXT record is "_dmarc" which forms a TXT record such as _dmarc.mydomain.com or _dmarc.mydomain.net etc

    An external guide/wizard on creating DMARC records: https://dmarcguide.globalcyberalliance.org/#/dmarc/

    Example:
    "v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com" 

    In this scenario, the sender defines the policy as such that the receiver outright rejects all non-aligned messages and sends a report about the rejections to a specific email address. If the sender were to use the “quarantine" setting in the policy, it would look like:

    "v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@dmarcdomain.com"

    and would request the action to quarantine on the receiving end of the message. In the next example, if a message claims to be from your domain.com and fails DMARC, no action is taken. Instead, these messages will then show up in your daily aggregate report sent to

    "v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com"

    Here is a sample where the message fails DMARC, then quarantines it 5% of the time.

    "v=DMARC1; p=quarantine; pct=5; rua=mailto:postmaster@your_domain.com"

    In this sample, the policy is set to reject the message 100% of the time and send the daily report to the specified address of dmarc@your_domain.com.

    "v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com, mailto:dmarc@your_domain.com"

    DMARC records follow the extensible "tag-value" syntax for DNS-based key records defined in DKIM. The following chart illustrates some of the available tags:
     
    Common tags used in DMARC TXT records:

    TagName    Required Purpose Sample
    v              required Protocol Version v=DMARC1
    p required Protocol for Domain p=quarantine
    pct optional % of message subjected to filtering pct=20
    rua optional Reporting UTIof aggregate report rua=mailto:postmstr@domain.com
    sp optional Policy for subdomains of the domain sp=r
    aspf optional Alignment mode for spf aspf=r 
     


    Only the v (version) and p (policy) tags are required. Three possible policy settings are available:

    • none - Take no action. Only log the affected messages in the daily report.
    • quarantine - Mark affected messages as spam.
    • reject - Cancel the message at the SMTP layer.  

    Alignment mode refers to the analysis which sender records are compared to SPF and DKIM signatures. There are two possible values being presented, relaxed “r” or strict “s”. Relaxed allows for partial matches such as subdomains while strict requires an exact match.
    Be sure to include an email address with the optional rua tag to have the daily reports sent to that address.
     
    Example report
    The daily reports are sent in XML format. They provide feedback informing you of the sending source IP addresses that have been sending out on your domain’s behalf.  This helps in determining which sources are valid or not. As a result, this assists in more effective deployment of your SPF and DKIM records.

    Here is an example of a daily aggregate report. The judgement result is shown along with the source IP addresses and the action taken.
     
    <record>
     <row>
     <source_ip>207.126.144.129</source_ip>
     <count>1</count>
     <policy_evaluated>
     <disposition>none</disposition>
     </policy_evaluated>
     </row>
     <identities>
     <header_from>stefanomail.com</header_from>
     </identities>
     <auth_results>
     <dkim>
     <domain>stefanomail.com</domain>
     <result>pass</result>
     <human_result></human_result>
     </dkim>
     <spf>
     <domain>stefanomail.com</domain>
     <result>pass</result>
     </spf>
     </auth_results>
     </record>
     <record>
     <row>
     <source_ip>207.126.144.131</source_ip>
     <count>1</count>
     <policy_evaluated>
     <disposition>none</disposition>
     <reason>
     <type>forwarded</type>
     <comment></comment>
     </reason>
     </policy_evaluated>
     </row>
     <identities>
     <header_from>stefanomail.com</header_from>
     </identities>
     <auth_results>
     <dkim>
     <domain>stefanomail.com</domain>
     <result>pass</result>
     <human_result></human_result>
     </dkim>
     <spf>
     <domain>stefanomail.com</domain>
     <result>pass</result>
     </spf>
     </auth_results>
     </record>

    Here is an example of how to specify the optional size limit argument and set it to 10 MB: "v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com!10m"

    Deploy slowly

    As the DMARC specification takes into consideration that scaling out the deployment may be challenging for some organizations to do at once, there are a number of built-in methods for "throttling" the DMARC processing so full deployment can be done in increments over time.

    • First thing to do is monitor your traffic and reports. Assess where your vulnerabilities are (where messages are being delivered without being digitally signed or are coming from invalid source IP addresses) and address them through SPF and DKIM records.
    • As you monitor your daily aggregate reports and get to a place where you are comfortable with the results, you can change the action on your policies to start to quarantine. You do this by changing your TXT record using DMARC to use the “quarantine” action. Continue to monitor your daily reports
    • Once you have been monitoring your traffic and daily reports for some time and feel comfortable with the sources seen sending traffic on behalf of your domain and they are all being digitally signed, you can move forward with the next step in changing the policy to use the “reject” tag to fully deploy DMARC in its entirety. Monitoring your reports and your spamfeed is an essential part of maintenance for DMARC accuracy.

    Also worth noting, the optional pct tag can be used to sample your DMARC deployment in increments as well. Since 100% is the default, passing "pct=20" in your DMARC TXT record results in one-fifth of all messages affected by the policy actually receiving the disposition instead of all of them. This setting is especially useful once you elect to quarantine and reject mail. Start with a lower percent to begin with and increase it every few days.

    So a conservative deployment cycle would resemble:

    1. Monitor all.
    2. Quarantine 1%.
    3. Quarantine 5%.
    4. Quarantine 10%.
    5. Quarantine 25%.
    6. Quarantine 50%.
    7. Quarantine all.
    8. Reject 1%.
    9. Reject 5%.
    10. Reject 10%.
    11. Reject 25%.
    12. Reject 50%.
    13. Reject all.

    When you are ready to complete the DMARC deployment, remove the percentages from your policies so that the full action of “quarantine” and “reject” is now functioning at 100%. As always, monitor your daily reports.

    Recap DMARC deployment.

    1. Deploy SPF and DKIM records for your domain.
    2. Confirm that all sending MTA’s on behalf of the specified domain are aligning the appropriate identifiers appropriately.
    3. Publish DMARC record using the "monitor" flag and specify rua value to receive daily aggregate reports.
    4. Assess vulnerabilities from the daily reports and adjust SPF and DKIM accordingly. Make changes to your mailstreams as needed.
    5. Change DMARC policy flags to "quarantine" and then eventually to "reject" as you see fit.

    For further reference, you can go to:
    http://dmarc.org/overview.html
    http://dmarc.org/specification.html

    Related Articles

    • SonicWall HES IP address blocklisted by UCEProtect or Backscatter
    • How to add O365 connector for domain specific routing
    • SonicWall Email Security on Hyper-V Platform

    Categories

    • Email Security > Email Security Appliance
    • Email Security > Email Security Software
    • Email Security > Hosted Email Security

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:4ee82ce2006b54d95245027ae7978e4a-89