I've never heard of DMARC
 

http://www.zdnet.com/article/making-...ce-tech-chief/

That's interesting. Is this a realistic tool for a provider like Runbox?

DMARC has been around for about 5 years. It's supported by many email providers and domains.
https://en.wikipedia.org/wiki/DMARC

DMARC is a policy set up by the owner of a domain to specify how failure of SPF and DKIM will be handled. I don't have a Runbox account so don't know if they support SPF, DKIM, and DMARC.

• When sending, SPF, DKIM, and DMARC must be enabled in the DNS records for the sending From domain. DKIM security signing must also be implemented by the sending server.
• When receiving, SFP, DKIM, and DMARC are supported by the receiving server (if implemented). Some systems only support some of these standards (such as DKIM only).
• Conventional message automatic redirection/forwarding breaks SPF as implemented in DMARC. DKIM can also be broken during forwarding if certain portions of the message are altered. Because of this, automatic redirection is now risky and can't be guaranteed to work between all accounts. That's the price we pay for reducing spam and phishing.

Bill

When Runbox implements DKIM on outgoing messages, DMARC will be an option that you can use on your own domain.

SPF and DMARC are set up by the domain owner and they don't require that Runbox do anything. DMARC can in fact be used with just SPF or DKIM, but it is intended that you use both.

As n5bb mentioned, it also contains a reporting mechanism that allows reporting back of information about messages received with a "From" address on your domain, and which servers sent those messages. The reporting aspect requires that the receiving email provider supports sending of reports back to the domain owner.

Some sources recommend you set up DMARC prior to implementing SPF and DKIM on your domain so that you can see the reports of mail received from your domain with no specific DMARC policy in place. This can then provide useful information to help you decide what DMARC policy to have for your domain.

As already mentioned implementing any process that might result in rejecting mail (preferably spam) can also affect legitimate mail so has to be done carefully.

Has anyone here attempted to use DMARC with Runbox? A few years ago Geir remarked:I'm not sure what "support" would mean if Runbox doesn't have to do anything (as indicated in this thread).

If you're hosting email for your domain using Runbox, then Runbox doesn't need to do anything. All you need to do is set up the DNS records to publish the DMARC policy for your domain.

Receiving email, however, is a different story. When Runbox accepts a message, it can look at the DMARC record published for the sending domain and use it to determine how to handle a spammy message. Or it could not support DMARC and simply ignore the record.

It's not a good idea to publish a DMARC record for a domain without having a DKIM signature for that domain on email that uses it in the "From" header. For most users this would mean that the hosting company provides support.