Build Your Email Server on Ubuntu Part 3: Create DMARC Record
In part 2 of our build your own email server on Ubuntu tutorial series, we implemented SPF and DKIM records to improve email deliverability. In this part, we’re going to look at another email authentication technology: DMARC. We will discuss how dmarc can benefit you, how to create dmarc record and how to interpret dmarc report.
What is DMARC?
DMARC stands for Domain-based message authentication, reporting and conformance. DMARC is not a product. It’s a freely available technical specification and widely supported across the Internet. Anyone owning a domain can take advantage of DMARC.
A DMARC policy allows a domain owner to indicate that emails from his/her domain is protected by SPF and DKIM. You can use DMARC to discover all legitimate sources of email. DMARC builds upon two existing technologies: SPF and DKIM.
Why is DMARC good for you? The benefits of deploying DMARC are:
- Fraud detection: It is a very powerful tool to combat with email phishing and thus protect your brand.
- Simplified email delivery: Sending DMARC-compliant email allows receiving email servers to simplify the filtering rules.
- Your email domain reputation will grow after you create DMARC record correctly.
- Gives senders visibility into how receiving email servers process their email. You can get a report of how many legitimate emails are sent from your domain, how many emails can’t be authenticated including both legitimate and fraudulent ones.
This is a pretty big deal to any organization that relies on email for its day-to-day business. If you are doing email marketing, then DMARC is a must have tool to make email easy to deliver and reach customers. Pretty much every major consumer-facing mailbox provider like Gmail, yahoo and Microsoft ask to be sent DMARC-compliant email to make their job of filtering emails easier.
How to Create DMARC Record
DMARC policies are published as a TXT record in DNS.
Step 1: create SPF and DKIM records
To create DMARC record, you must make sure your already have set up SPF and DKIM records.
Step 2: Identifier alignment
Send a test email from your domain, then check the raw email. You want to make sure the domains in Return Path, From: header and d=domain in the DKIM signature are the same. If the 3 domains are identical, then they are aligned.
Step 3: Setting up the DMARC record
Go to your DNS manager and add a TXT record. In the name field, enter
_dmarc. In the value field, enter the following:
v=DMARC1; p=none; rua=mailto:[email protected]
v=MARC1means the protocol version is DMARC1.
p=nonemeans we choose none as the policy for our domain.
ruastands for reporting URI for aggregate report. The email address is used to tell the world where report should be sent. Replace [email protected] with your real email address that are used to receive aggregate DMARC report.
Policy none will request data reports from receivers without impacting existing flows. You should analyze the data for some time and then modify your email stream as appropriate. You can change the policy from
reject once you have the experience. Quarantine means the email will be labeled as spam.
This is all you have to do to implement DMARC for your domain.
A good service for DMARC test is https://www.mail-tester.com. Go to the website, you will see a unique email address. Send an email from your domain to this address and then check your score.
This website check all factors that affect email deliverability, not just DMARC.
Another way to test DMARC is send an email from your domain to your Gmail account. If DMARC is configured correctly then you will see dmarc=pass in the authentication-results header.
How to Interpret DMARC Report
There are two kinds of DMARC Reports
- daily XML-based aggregate report
- Real-time MARF-based forensic report
Normally you only want to receive the aggregate report. The data that DMARC produces is invaluable for understanding what is going on for any given email domain.
However, raw DMARC data is not easy to read and understand. There are tools such as Dmarcian and ReturnPath that process these reports, presents you a much more readable report. Dmarcian offers a free basic account.
The nice part about Dmarcian is that you can tell receiving email servers to send XML reports directly to dmarcian for processing. So instead of entering your email address in the DMARC record, you enter an email address of ag.dmarcian.com that is unique to your Dmarcian account.
v=DMARC1; p=none; rua=mailto:[email protected];