DMARC — Domain-based Message Authentication

Category: Before Enabling Filtering Services | Protocol: DNS / Email

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a protocol built on SPF and DKIM that tells recipient mail servers how to handle emails that fail authentication. It protects against spoofing and phishing.

e-securemail provides DMARC report collection to help visualize successful and failed authentications.

I — DMARC Collection with e-securemail

From your console, go to Reports > DMARC to generate your record. Then add it to your DNS zone:

Parameter Value
Name _dmarc
TTL 3600
Type TXT
Value (example) v=DMARC1; p=none; rua=mailto:dmarc@secuserve.com

II — The Three DMARC Policies

Policy DNS Record Effect
none v=DMARC1; p=none Monitoring only — no action taken on emails
quarantine v=DMARC1; p=quarantine Suspicious emails are placed in spam/quarantine
reject v=DMARC1; p=reject Suspicious emails are rejected before delivery

💡 Recommendation: Start with p=none to analyze DMARC reports safely, then gradually move to quarantine and finally reject.

III — How DMARC Works

  • The recipient server checks SPF and DKIM
  • It verifies alignment: the SPF/DKIM domain must match the domain in the From address
  • If one of the checks fails, the DMARC policy is applied (none / quarantine / reject)
  • Aggregate reports are sent to the rua address defined in the record

IV — Advanced Settings

_dmarc.your-domain.com 3600 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@secuserve.com"
Parameter Description
p Policy: none, quarantine, or reject
pct Percentage of emails affected (100 = all)
rua Address receiving aggregate reports
ruf Address receiving forensic reports (optional)
sp Policy for subdomains (if different)