Category: Before Enabling Filtering Services | Protocol: DNS / Email
DMARC (Domain-based Message Authentication, Reporting and Conformance) is a protocol built on SPF and DKIM that tells recipient mail servers how to handle emails that fail authentication. It protects against spoofing and phishing.
e-securemail provides DMARC report collection to help visualize successful and failed authentications.
I — DMARC Collection with e-securemail
From your console, go to Reports > DMARC to generate your record. Then add it to your DNS zone:
| Parameter | Value |
|---|---|
| Name | _dmarc |
| TTL | 3600 |
| Type | TXT |
| Value (example) | v=DMARC1; p=none; rua=mailto:dmarc@secuserve.com |
II — The Three DMARC Policies
| Policy | DNS Record | Effect |
|---|---|---|
| none | v=DMARC1; p=none | Monitoring only — no action taken on emails |
| quarantine | v=DMARC1; p=quarantine | Suspicious emails are placed in spam/quarantine |
| reject | v=DMARC1; p=reject | Suspicious emails are rejected before delivery |
💡 Recommendation: Start with p=none to analyze DMARC reports safely, then gradually move to quarantine and finally reject.
III — How DMARC Works
- The recipient server checks SPF and DKIM
- It verifies alignment: the SPF/DKIM domain must match the domain in the From address
-
If one of the checks fails, the DMARC policy is applied (
none/quarantine/reject) -
Aggregate reports are sent to the
ruaaddress defined in the record
IV — Advanced Settings
_dmarc.your-domain.com 3600 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@secuserve.com"
| Parameter | Description |
|---|---|
| p | Policy: none, quarantine, or reject |
| pct | Percentage of emails affected (100 = all) |
| rua | Address receiving aggregate reports |
| ruf | Address receiving forensic reports (optional) |
| sp | Policy for subdomains (if different) |