Tech Tips – How To Implement DMARC

Daniel Mackay
Jan. 12, 2014 by Daniel Mackay

The Basics of DMARC

You may have heard a lot about the DMARC standard in the past year, yet how does one go about ensuring that this standard for email authentication is met? Here’s a quick reference guide.

DNS entries that DMARC uses:

1 – The DMARC DNS text entry

The following is an example DMARC text entry for DNS :

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=r; rf=afrf; sp=none

The above example was generated with the following utility: http://www.kitterman.com/dmarc/assistant.html

In order to get this in the real world use dig +short _dmarc.<domain> TXT

<snip>

[[email protected] ~]# dig +short txt _dmarc.sovereignsociety.com

“v=DMARC1\; p=none\; rua=mailto:[email protected]\;”

<snip>

2 – The SPF DNS text entry

The following is an example of a SPF DNS text entry:

mydomain.com. IN SPF “v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all”

You can find this for most domains by issuing a dig +short <domain> TXT and here is an example:

<snip>

[[email protected] ~]# dig +short hotmail.com txt
“v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all”

[[email protected] default]# dig +short spf-a.hotmail.com txt
“v=spf1 ip4:157.55.0.192/26 ip4:157.55.1.128/26 ip4:157.55.2.0/25 ip4:65.54.190.0/24 ip4:65.54.51.64/26 ip4:65.54.61.64/26 ip4:65.55.111.0/24 ip4:65.55.116.0/25 ip4:65.55.34.0/24 ip4:65.55.90.0/24 ip4:65.54.241.0/24 ip4:207.46.117.0/24 ~all” <snip>

More information on creating an SPF DNS text entry available here: http://www.openspf.org/SPF_Record_Syntax

For SPF validation you can use: http://www.kitterman.com/spf/validate.html

3 – The DKIM DNS text entry

The following is an example of an DKIM DNS text entry:

dkim1024._domainkey.mydomain.com. 86400 IN TXT “v=DKIM1; k=rsa; h=sha1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrZXNwzXOk0mRqPcgSUOnmVHro rg/BZHybpiBoDS/g6IaMjmVwaQf2E72x9yDBTgiUBtTCqydQRZJ3EbfYfvo+WAHq 2yz6HKR0XCwMDSE2S3brVe7mbV/GPEvnCuFPPEVjbfL4w0tEAd8Seb5h07uVQqy1 Q7jIOnF5fG9AQNd1UQIDAQAB”

You generally can find this by doing a dig +short _domainkey.<domain> TXT here is an example

<snip>

[[email protected] ~]# dig +short google._domainkey.protodave.com TXT

“v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGfiExKCF1qk/JMaESySByrwx2VjPYDZThQa8432pSTf9mj+AtFiY6wo9A4CMMDLfUBzbDhXFzw3s/qci/tTut+sqv+MSAHhCBJV72Kai64j6TjxUUnfW1RkEYvDhXL+9Wy9OODx2DBZeTpPd6N2Rm4ks3b5wvg73s7RCKjTA7XQIDAQAB”

<snip>

More details on validation of DKIM available here: http://dkimcore.org/tools/keycheck.html

Utility to create DKIM DNS entries: http://www.dnswatch.info/dkim/create-dns-record

The DMARC validation process.

In order for DMARC to begin passing a message, either the DKIM must pass or the SPF must pass, if neither passes then the action requested, in p (Domain policy) or sp (Subdomain policy) in the above DMARC DNS text entry will be adhered to. The options on the policies are none, quarantine or reject.

Once either DKIM or SPF have passed, and it can be both, DMARC will then take action based on the requested behavior of adkim or aspf.

For strict adherence:

  1. In all cases, the RFC5321:Mailfrom and the RFC5322:From must match exactly.
  2. If the adkim is set to strict then the d= entry must match exactly the RFC5322:From domain.
  3. If spf is set to strict then spf domain must exactly match the RFC5322:From domain.

For relaxed adherence:

  1. In all cases both RFC5321:Mailfrom and RF5322:From must share an organizational domain.
  2. For dkim relaxed the d= domain must share an organizational domain with the RFC5322:From domain.
  3. For spf relaxed the domain must share an organizational domain with the RFC5322:From domain.

We hope you find the information here of some use however, please note that this document is not meant to replace the information available on DMARC at these locations.

Enjoy!

Find out why businesses are turning to the DMARC email authentication standard when you get the free copy of the How DMARC Is Saving Email eBook today!

How DMARC Is Saving Email

Related Content

GDPR Affects Open Rates

To comply with GDPR, email senders across the globe sent out millions of privacy updates last week. See our favorites and learn how GDPR affects open rates.

read more

What SMTP Port Should I Use?

“What SMTP port should I use?” is a common question. SMTP port 587 is the best choice for connecting to SparkPost (or nearly any other email server).

read more

Email Security’s Hidden Complexity: Are Termites Eating Your House?

Any company working with customer data or providing any service online needs to pay close attention to security and get their "house" in order.

read more

Get started and start sending

Try SparkPost and see how easy it is to deliver your app’s email on time and to the inbox.

Try Free

Send this to a friend