Product » Xeams » Knowledge Base
|Subject:||DMARC - What is it and how to use it|
|Creation date:||8/9/17 4:11 AM|
|Last modified on:||4/12/22 11:42 AM|
DMARC Domain-based Message Authentication, Reporting & Conformance
The purpose of this page is to explain how to use DMARC in Xeams. Visit https://dmarc.org/
more about DMARC.
DMARC builds on top of SPF
and takes these protocol to the next level. The following table summarizes
what each protocol does:
|SPF||Prevents email forgery by confirming an incoming message came from an IP address designated by the sender. SPF checks
the MAIL FROM value in the SMTP Envelope conversation. It does not check the FROM header in the actual message.|
|DKIM||Confirms the content of the message was not modified during transit and the message originated from the sender's domain. This protocol emphasizes on
email's domain name rather than the IP address where message came from.|
|DMARC||Unlike SPF, DMARC looks at the FROM header of an email. An incoming email is considered to be "DMARC Aligned" if the domain
name of FROM header matches with the domain name of the MAIL FROM value in the envelope. Additionally, it also checks if the domain specified
in the FROM header matches with the domain name specified in the DKIM signature.
Aside from checking for message alignment, which prevents forgery, DMARC also provides a mechanism for email servers to report their discovery to other servers
on the internet. For example, servers for gmail.com and yahoo.com will send reports once a day to your Xeams explaining how they treated messages that
came from your domain.
There are three aspects of DMARC in Xeams:
- Assigning a score to an incoming email from the Internet if DMARC alignment fails.
- Process incoming reports from other email servers
- Sending reports to other email servers
Xeams will check DMARC alignment for every incoming email if DMARC is enabled on your Xeams. This happens even if you do not use DMARC for you own domain.
A score is assigned if this alignment fails.
Every domain that publishes a DMARC record in their DNS also configures how a receiving server handle messages if alignment fails. This allows a
gradual roll-out of DMARC for a company. When you first decide to use DMARC for your domain, you will not be sure how other email servers will treat your
emails if DMARC alignment fails. Therefore, you may want to tell them not to reject any messages if messages from your domain are not aligned. Instead, send
you a report letting you know why was DMARC failed, which helps you fine tune your DMARC record in the DNS server. There are three levels of actions when DMARC
- None - This tells the receiving server to simply ignore DMARC but generate a report letting the sender know about the results.
- Quarantine - This tells the receiving server to do further filtering before considering the message junk
- Reject - The receiving server should consider the message junk
Displaying incoming reports
Xeams will automatically handle incoming reports for DMARC and create a summarized view for the administrator. Note that DMARC reports will only be available if
you publish a DMARC record for your domain. The report provides the following information:
- Compliant Message Count - Number of emails that were compliant - meaning DMARC was fully aligned. Besides the count, you can also see the IP addresses where
email generated from.
- Quarantined Message Count - Number of emails that were quarantined by the receiving servers. You will only see a number higher than 0 if
your DMARC record policy is set to quarantine.
- Rejected Message Count - Number of emails that were rejected by the receiving servers. You will only see a number higher than 0 if
your DMARC record policy is set to reject.
- SPF Passed - Contains the number of messages where SPF check passed
- SPF Failed - Contains the number of messages where SPF check failed
- DKIM Passed - Contains the number of messages where DKIM check passed
- DKIM Failed - Contains the number of messages where DKIM check failed or a signature was missing
- Total Reporters - Lists the domain names of servers on the Internet that sent a report
- Total Reports - Holds a list of reports sent to your server in the last 15 days.
Inbound reports are automatically processed and displayed when you click DMARC under Filter Management. Most servers send their reports once a day. Therefore, it could take up to 24 hours to see reports after you create a DNS entry for DMARC.
Xeams will display reports for multiple domains if your server handles more than one domain.
Sending outbound reports
In order for Xeams to send out-bound reports, you must check the Reporting Enabled
checkbox in DMARC configuration. This option will generate an
aggregate report for DMARC that will be sent to other servers on the Internet letting them know how their messages were treated by Xeams.
Using DMARC for your domain
In order to enable DMARC for your domain, you must create a TXT record in your DNS server. Although many tools are available on the Internet that can help you
generate a DMARC record, in order to get you going without getting into too many details, we recommend the following value for your DMARC record.
When creating a DNS entry, use
for host name.
Use the following value for the first 90 days:
"v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org"
Obviously, change the value for
with the appropriate name. This value tells other servers on the Internet to simply monitor DMARC
alignment and report them to your Xeams, allowing you to fix problems with your SPF and/or DKIM signatures. Frequently check the report generated by Xeams
for your domain to confirm SPF and DKIM are not failing for IP addresses belonging to you.
Other servers on the Internet will send their reports to
, which will automatically be handled by Xeams.
Once you are confident SPF and DKIM are not failing for your IP addresses, change the policy to quarantine
by modifying your DNS record to:
"v=DMARC1; p=quarantine; rua=mailto:email@example.com"
Notice the username part (value before the '@' sign) in the email address, which is set to
dmarc.rua. This is the default username for emails in Xeams. If you decide to use a different value, ensure you specify that for the User for Aggregate Feedback field in DMARC configuration.
Every domain handled by your Xeams must have identical value for the User for Aggregate Feedback field.
Using DMARC with SMTP Proxy
The acceptance and rejection of any incoming email is delegated to the downstream SMTP server when you use SMTP Proxy Server in Xeams. For example, if you're using
MS Exchange as your primary server, it is Exchange that decides if an incoming email is accepted or rejected. Therefore, incoming emails for DMARC will not be accepted until
you add a user in your Exchange Server.
You have one of two choices when using SMTP Proxy Server for inbound emails:
- Create an account in Exchange for firstname.lastname@example.org, OR
- Use the regular SMTP Server for inbound emails
ImportantDo not create any special accounts in Xeams for DMARC.
Xeams will automatically handle incoming emails for DMARC.
NOTEEmails sent to email@example.com do not affect your license count.
Posted by Glen Ihrig on 9/23/21 10:34 PM
Something missing here is how to configure DNS records to permit "Verifying External Destinations" See: https://datatracker.ietf.org/doc/html/rfc7489#section-7.1
Add a comment to this document
Do you have a helpful tip related to this document that you'd like to share
with other users? Please add it below. Your name and tip will appear at the
end of the document text.