The Basics of DMARC
You may have heard a lot about the DMARC standard in the past year, yet how does one go about ensuring that this standard for email authentication is met? Here’s a quick reference guide.
DNS entries that DMARC uses:
1 – The DMARC DNS text entry
The following is an example DMARC text entry for DNS :
The above example was generated with the following utility: http://www.kitterman.com/dmarc/assistant.html
In order to get this in the real world use dig +short _dmarc.<domain> TXT
[[email protected] ~]# dig +short txt _dmarc.sovereignsociety.com
“v=DMARC1\; p=none\; rua=mailto:[email protected]\;”
2 – The SPF DNS text entry
The following is an example of a SPF DNS text entry:
mydomain.com. IN SPF “v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all”
You can find this for most domains by issuing a dig +short <domain> TXT and here is an example:
[[email protected] ~]# dig +short hotmail.com txt
“v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all”
[[email protected] default]# dig +short spf-a.hotmail.com txt
“v=spf1 ip4:220.127.116.11/26 ip4:18.104.22.168/26 ip4:22.214.171.124/25 ip4:126.96.36.199/24 ip4:188.8.131.52/26 ip4:184.108.40.206/26 ip4:220.127.116.11/24 ip4:18.104.22.168/25 ip4:22.214.171.124/24 ip4:126.96.36.199/24 ip4:188.8.131.52/24 ip4:184.108.40.206/24 ~all” <snip>
More information on creating an SPF DNS text entry available here: http://www.openspf.org/SPF_Record_Syntax
For SPF validation you can use: http://www.kitterman.com/spf/validate.html
3 – The DKIM DNS text entry
The following is an example of an DKIM DNS text entry:
dkim1024._domainkey.mydomain.com. 86400 IN TXT “v=DKIM1; k=rsa; h=sha1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrZXNwzXOk0mRqPcgSUOnmVHro rg/BZHybpiBoDS/g6IaMjmVwaQf2E72x9yDBTgiUBtTCqydQRZJ3EbfYfvo+WAHq 2yz6HKR0XCwMDSE2S3brVe7mbV/GPEvnCuFPPEVjbfL4w0tEAd8Seb5h07uVQqy1 Q7jIOnF5fG9AQNd1UQIDAQAB”
You generally can find this by doing a dig +short _domainkey.<domain> TXT here is an example
[[email protected] ~]# dig +short google._domainkey.protodave.com TXT
“v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGfiExKCF1qk/JMaESySByrwx2VjPYDZThQa8432pSTf9mj+AtFiY6wo9A4CMMDLfUBzbDhXFzw3s/qci/tTut+sqv+MSAHhCBJV72Kai64j6TjxUUnfW1RkEYvDhXL+9Wy9OODx2DBZeTpPd6N2Rm4ks3b5wvg73s7RCKjTA7XQIDAQAB”
More details on validation of DKIM available here: http://dkimcore.org/tools/keycheck.html
Utility to create DKIM DNS entries: http://www.dnswatch.info/dkim/create-dns-record
The DMARC validation process.
In order for DMARC to begin passing a message, either the DKIM must pass or the SPF must pass, if neither passes then the action requested, in p (Domain policy) or sp (Subdomain policy) in the above DMARC DNS text entry will be adhered to. The options on the policies are none, quarantine or reject.
Once either DKIM or SPF have passed, and it can be both, DMARC will then take action based on the requested behavior of adkim or aspf.
For strict adherence:
- In all cases, the RFC5321:Mailfrom and the RFC5322:From must match exactly.
- If the adkim is set to strict then the d= entry must match exactly the RFC5322:From domain.
- If spf is set to strict then spf domain must exactly match the RFC5322:From domain.
For relaxed adherence:
- In all cases both RFC5321:Mailfrom and RF5322:From must share an organizational domain.
- For dkim relaxed the d= domain must share an organizational domain with the RFC5322:From domain.
- For spf relaxed the domain must share an organizational domain with the RFC5322:From domain.
We hope you find the information here of some use however, please note that this document is not meant to replace the information available on DMARC at these locations.
Find out why businesses are turning to the DMARC email authentication standard when you get the free copy of the How DMARC Is Saving Email eBook today!