Tech Tips – How To Implement DMARC

Daniel Mackay
Jan. 12, 2014 by Daniel Mackay

The Basics of DMARC

You may have heard a lot about the DMARC standard in the past year, yet how does one go about ensuring that this standard for email authentication is met? Here’s a quick reference guide.

DNS entries that DMARC uses:

1 – The DMARC DNS text entry

The following is an example DMARC text entry for DNS :

v=DMARC1; p=none; rua=mailto:postmaster@mydomain.com; ruf=mailto:postmaster@mydomain.com; adkim=r; aspf=r; rf=afrf; sp=none

The above example was generated with the following utility: http://www.kitterman.com/dmarc/assistant.html

In order to get this in the real world use dig +short _dmarc.<domain> TXT

<snip>

[root@mymachine ~]# dig +short txt _dmarc.sovereignsociety.com

“v=DMARC1\; p=none\; rua=mailto:84tcdfj1@ag.dmarcian.com\;”

<snip>

2 – The SPF DNS text entry

The following is an example of a SPF DNS text entry:

mydomain.com. IN SPF “v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all”

You can find this for most domains by issuing a dig +short <domain> TXT and here is an example:

<snip>

[root@mymachine ~]# dig +short hotmail.com txt
“v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all”

[root@mymachine default]# dig +short spf-a.hotmail.com txt
“v=spf1 ip4:157.55.0.192/26 ip4:157.55.1.128/26 ip4:157.55.2.0/25 ip4:65.54.190.0/24 ip4:65.54.51.64/26 ip4:65.54.61.64/26 ip4:65.55.111.0/24 ip4:65.55.116.0/25 ip4:65.55.34.0/24 ip4:65.55.90.0/24 ip4:65.54.241.0/24 ip4:207.46.117.0/24 ~all” <snip>

More information on creating an SPF DNS text entry available here: http://www.openspf.org/SPF_Record_Syntax

For SPF validation you can use: http://www.kitterman.com/spf/validate.html

3 – The DKIM DNS text entry

The following is an example of an DKIM DNS text entry:

dkim1024._domainkey.mydomain.com. 86400 IN TXT “v=DKIM1; k=rsa; h=sha1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrZXNwzXOk0mRqPcgSUOnmVHro rg/BZHybpiBoDS/g6IaMjmVwaQf2E72x9yDBTgiUBtTCqydQRZJ3EbfYfvo+WAHq 2yz6HKR0XCwMDSE2S3brVe7mbV/GPEvnCuFPPEVjbfL4w0tEAd8Seb5h07uVQqy1 Q7jIOnF5fG9AQNd1UQIDAQAB”

You generally can find this by doing a dig +short _domainkey.<domain> TXT here is an example

<snip>

[root@mymachine ~]# dig +short google._domainkey.protodave.com TXT

“v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGfiExKCF1qk/JMaESySByrwx2VjPYDZThQa8432pSTf9mj+AtFiY6wo9A4CMMDLfUBzbDhXFzw3s/qci/tTut+sqv+MSAHhCBJV72Kai64j6TjxUUnfW1RkEYvDhXL+9Wy9OODx2DBZeTpPd6N2Rm4ks3b5wvg73s7RCKjTA7XQIDAQAB”

<snip>

More details on validation of DKIM available here: http://dkimcore.org/tools/keycheck.html

Utility to create DKIM DNS entries: http://www.dnswatch.info/dkim/create-dns-record

The DMARC validation process.

In order for DMARC to begin passing a message, either the DKIM must pass or the SPF must pass, if neither passes then the action requested, in p (Domain policy) or sp (Subdomain policy) in the above DMARC DNS text entry will be adhered to. The options on the policies are none, quarantine or reject.

Once either DKIM or SPF have passed, and it can be both, DMARC will then take action based on the requested behavior of adkim or aspf.

For strict adherence:

  1. In all cases, the RFC5321:Mailfrom and the RFC5322:From must match exactly.
  2. If the adkim is set to strict then the d= entry must match exactly the RFC5322:From domain.
  3. If spf is set to strict then spf domain must exactly match the RFC5322:From domain.

For relaxed adherence:

  1. In all cases both RFC5321:Mailfrom and RF5322:From must share an organizational domain.
  2. For dkim relaxed the d= domain must share an organizational domain with the RFC5322:From domain.
  3. For spf relaxed the domain must share an organizational domain with the RFC5322:From domain.

We hope you find the information here of some use however, please note that this document is not meant to replace the information available on DMARC at these locations.

Enjoy!

Find out why businesses are turning to the DMARC email authentication standard when you get the free copy of the How DMARC Is Saving Email eBook today!

How DMARC Is Saving Email

Share your Thoughts

Your email address will not be published.

Related Content

Getting Started with SparkPost in Java

A quick and easy guide on how to use the SparkPost Java Client Library to integrate with SparkPost to allow users to send emails faster.

read more

Are you Realizing the Big Rewards of Email Deliverability?

We did the math, learn how email deliverability is calculated, how it impacts your bottom line, and how to improve it for better engagement rates and ROI.

read more

Why Attestations Are Just One Part of Your Cloud Security Program

Attestations are a necessity for any cloud security program. Here’s why you need to look beyond just checking the boxes to ensure your perimeter is secure.

read more

Start sending email in minutes!

The world’s most powerful email delivery solution is now yours in a developer-friendly, quick to set up cloud service. Open a SparkPost account today and get started for free.

Get Started

Send this to a friend