Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Do I need to use DMARC?

            DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol.  Its primary use is to prevent the malicious use of your domain from being used in spoofing, phishing and other malicious activity.


            Properly implemented DMARC can help debug email rejections, and provides further protections for your domain and email users in general by leveraging SPF and DKIM in concert. All three protocols (SPF, DKIM and DMARC) must be implemented and configured to reject unauthenticated messages for the most complete protection. The Canadian Center for Cyber Security provides excellent guidance on this and related topics for email protection.


            While not required, it is certainly recommended as it is a powerful way to protect your domain and email users.


            Setting up DMARC requires the modification on your domain to include a SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) entry to determine the authenticity of an email message.  Your domain registrar will be able to assist you in the setup on these entries using a TXT record.


            When setting your DMARC policy we also advise using an SPF record with a 'hard-fail' default policy in order to reduce exposure to social engineering risks like domain spoofing and similar attacks. To do so, ensure you are using -all (hyphen) as opposed to ~all (tilde)


            A sample DMARC TXT entry could look similar to the sample below: 

            "v=DMARC1; p=reject; rua=mailto:rua@example.net; ruf=mailto:ruf@example.net; pct=100; -all" 


            • v (Version) "DMARC1" pertaining the version of DMARC to use. Currently DMARC1 is the only supported version. 
            • p (Policy) "reject" so if an email comes in that doesn't come from your email infrastructure, the receiver outright rejects those messages that fail DMARC authentication.
            • rua the email that any aggregate DMARC reports should go to.
            • ruf the email that any forensic DMARC reports should go to.
            • pct (Percentage) value of '100' to apply the policy - 100% of events that fail DMARC authentication.
            • -all hard fail to explicity reject the email if not authenticated.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0