Email protected using DKIM will be signed using a secure encryption and publicly authenticated by other mail server that verify your emails are sent from our systems the same goes for SPF telling the world that your email hosted on our servers are allowed to send on your behalf its essentially IP based protection. DMARC is the global policy that tells other mail servers what to do if your email is sent from an unauthorized server.
We encrypt all eMails on our server with a public signature ensureing other mail providers that we are the source of you business mail.
Our implimentation of DMARC consists of this simple dns text record.
and that points to our default client rule of
"v=DMARC1; p=quarantine; sp=quarantine; adkim=r; aspf=s; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; rf=afrf; pct=100; fo=1; ri=3600"
A break down of the rule is as follow.
v is for the protocol version in this case it should be DMARC1
p is the Policy for organizational domain aka yourdomain.tld, you can have it set to REJECT but we set it to quarantine as a default.
sp is the Policy for subdomains of the Organizational domain. This applies to any and all subdomains of your primary domain.
adkim is set to R for Relaxed, We run the DKIM in relaxed mode since our users might have web scripts that sent email with out authenticating and signing the mail before sending.
aspf is set to S for Strictsince most of all accounts are hosted on our servers and should always follow the default SPF policy of "v=spf1 include:_spf.zenithmedia.net -all"
rua is the the email address used for reporting on the email itself. If you wish to use your own, visit the links below.
ruf is the forensics reports we receive from other providers like google/yahoo/microsoft ^
rf is the file format we receive the records in afrf.
pct is the ammount in percent that email is scanned in this case 100%. We don't recommend lowering this number with out consulting our support team.
fo is used as a queue to send us reports about malicious servers trying to use your domain. It should always be set to 1 for ON
ri is the time we request reports from providers. 3600 seconds is 1 hour and that seems like enough to catch any malicious activity. Most providers won't send it if its lowered anyway.
If you wish to monitor your own emails the great guys at dmarcian.com will set you up and you will start receiving a nicely designed graph showing you who and what is using your domain name.
dmarc.org , dmarc.io , dkim.org and openspf.org for further reference.