By default all new accounts have the following DNS rules.
_dmarc.example.com.3600 IN CNAME _dmarc_clients.zenithmedia.net.
This rule forwards your DMARC to our general client rules.
_dmarc_clients.zenithmedia.net. 3600 IN TXT "v=DMARC1\; p=quarantine\; sp=quarantine\; adkim=r\; aspf=r\; rua=mailto:firstname.lastname@example.org\; ruf=mailto:email@example.com\; rf=afrf\; pct=100\; fo=1\; ri=3600"
The above rules is as follow:
DMARC1 is the DMARC version number that is supported, currently it is the only version supported.
p=quarantine tells receiving mail servers to quarantine mail if it fails for the primary domain.
sp=quarantine tells receiving mail servers to quarantine mail if it fails for a sub domain.
adkim=r this tells mail servers that if the DKIM alignment fails to be relax about it.
aspf=r this tells mail servers that if the SPF alignment fails to be realx about it.
These settings allows your mail to be delivered and sent to junk mail if your mail is spoofed by spammers. These are safe settings and are used when developing your site.
When youre done development you can move to more restrictive rules.
P and SP can remain at quarantine but could be set to reject
ADKIM and ASPF can be changed to s for strict; this will tell all mail servers to force the checking of DKIM and SPF and if they are not alligned then 100% move the mail to junk.
This is a secure setting but could still generate spoofed spam from your domain.
We would like to warn you that having S for ASPF would stop people who forward mail from another server.
An example would be that you send an email: firstname.lastname@example.org to email@example.com but their exampleclient.com then forwards it to their hotmail or gmail. This would reject the mail because forwarding doesnt retain SPF records.
|p||reject||Policy to apply to email that fails the DMARC check. Can be "none", "quarantine", or "reject". "none" is used to collect feedback and gain visibility into email streams without impacting existing flows.|
|sp||reject||Policy to apply to email from a sub-domain of this DMARC record that fails the DMARC check. This tag allows domain owners to explicitly publish a "wildcard" sub-domain policy.|
|adkim||s||Specifies "Alignment Mode" for DKIM signatures. "r" is for Relaxed, "s" is for Strict. Relaxed mode allows Authenticated DKIM d= domains that share a common Organizational Domain with an email's header-From: domain to pass the DMARC check. Strict mode requires exact matching between the DKIM d= domain and an email's header-From: domain.|
|aspf||r||Specifies "Alignment Mode" for SPF. "r" is for Relaxed, "s" is for Strict. Relaxed mode allows SPF Authenticated domains that share a common Organizational Domain with an email's header-From: domain to pass the DMARC check. Strict mode requires exact matching between the SPF domain and an email's header-From: domain.|
|rf||afrf||The reporting format for individual Forensic reports. Can be either "afrf" or "iodef".|
|pct||100||The percentage tag tells receivers to only apply policy against email that fails the DMARC check X amount of the time. For example, "pct=25" tells receivers to apply the "p=" policy 25% of the time against email that fails the DMARC check. NOTE: you must have a policy of "quarantine" or "reject" for the percentage tag to do anything.|
|fo||1||Forensic reporting options. Possible values: "0" to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result, "1" to generate reports if any mechanisms fail, "d" to generate report if DKIM signature failed to verify, "s" if SPF failed.|
|ri||3600||The reporting interval for how often you'd like to receive aggregate XML reports. You'll likely receive reports once a day regardless of this setting.|
|rua||The list of URIs for receivers to send XML feedback to. NOTE: this is not a list of email addresses, as DMARC requires a list of URIs of the form "mailto:firstname.lastname@example.org". External destination verification is tested if applicable (DMARC Spec section7.1).|
|ruf||The list of URIs for receivers to send Forensic reports to. NOTE: this is not a list of email addresses, as DMARC requires a list of URIs of the form "mailto:email@example.com". External destination verification is tested if applicable (DMARC Spec section7.1).|