Understanding DMARC
 

I dabbled with this a while ago, but really didn't understand what was happening.

I've decided to have another go (not with my main domain yet!) to try and get a better understanding.

What I would like to do is create a DMARC record so that any e-mail that wasn't sent by myself generates a daily report. I don't really want to receive a daily report about every e-mail that I send myself.

Presumably this is where "quarantine" comes into the mix.

Could anyone with DMARC experience please explain, preferably in layman's terms, how I could do this?

I have DMARC set up for my personal domain. Here is what you need to do (assuming your domain was example.com):

• Set up a SPF record for your domain and only send from servers allowed by that record.
• Set up a DMARC record for your domain and only send through outgoing servers which properly sign your messages.
• Add a TXT record for your domain with the name _dmarc.example.com and contents similar to:
  
  Code:

  ---

  v=DMARC1; p=quarantine; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com

  ---

• The policy (p=) can be “none”, “quarantine”, or “reject”. I tried all three, and was brave enough to start using p=reject a few months ago. So far it seems to be working well.
• ”rua” are aggregate reports. “ruf” are failure reports. See FAQ here:
  https://dmarc.org/wiki/FAQ

Bill

Thanks, Bill!

My record currently:
v=DMARC1; p=none; rua=mailto:dmarc@mydomain.com

I understand that record just monitors but does nothing else, that's OK.

But what I want is reports ONLY for a failure - that is e-mails NOT sent by myself.

So the "ruf" in your example is for reporting errors.

If I just want to hear about errors do I remove the "rua" bit, replace with "ruf" and change the "none" to "quarantine"?

Just changed my test DMARC record:

v=DMARC1; p=quarantine; rua=mailto:dmarc-rua@mydomain.com; ruf=mailto:dmarc-ruf@mydomain.com

I've created a different alias for each report, so that with filters set up in my e-mail account, I can see what rua and ruf reports get generated, etc.

Just need then to understand what the reports are telling me!

I use a free dmarcian account:
https://dmarcian.com/plan-free/
That website has many tools for helping you set up DMARC and checking how your DMARC, SPF, and DKIM settings are working. I’m only testing my single personal domain (low volume), so the free tool works fine for me. I use a Fastmail rule to forward the DMARC XML reports coming in from various email services to the special dmarcian address set up for my account. You can also specify that special dmarcian account address in the “rua” field of the DMARC DNS record.

Bill

Thanks for that link and information, Bill.

A quick look at their terms indicates even the free service requires your credit card information at subscription, which is something I prefer not to do.

For now, I'll just monitor myself how and if it works for me.

Just found this on the dmarcian website:

XML to Human Converter

Tried this out to read my reports and it works OK.

And so far, they haven't asked for my credit card information! :)