Minimize spam with DMARC

In a effort to help to reduce spam we have enabled DMARC by default for all our users, we also monitor delivery.

By default all new accounts have the following DNS rules.

_dmarc.example.com.3600 IN CNAME _dmarc_clients.zenithmedia.net.

This rule forwards your DMARC to our general client rules.

_dmarc_clients.zenithmedia.net. 3600 IN TXT "v=DMARC1\; p=quarantine\; sp=quarantine\; adkim=r\; aspf=r\; rua=mailto:rua@zenithmedia.net\; ruf=mailto:ruf@zenithmedia.net\; rf=afrf\; pct=100\; fo=1\; ri=3600"

The above rules is as follow:

DMARC1 is the DMARC version number that is supported, currently it is the only version supported.

p=quarantine tells receiving mail servers to quarantine mail if it fails for the primary domain.
sp=quarantine tells receiving mail servers to quarantine mail if it fails for a sub domain.
adkim=r this tells mail servers that if the DKIM alignment fails to be relax about it.
aspf=r this tells mail servers that if the SPF alignment fails to be realx about it.

These settings allows your mail to be delivered and sent to junk mail if your mail is spoofed by spammers. These are safe settings and are used when developing your site.

When youre done development you can move to more restrictive rules.

P and SP can remain at quarantine but could be set to reject

ADKIM and ASPF can be changed to s for strict; this will tell all mail servers to force the checking of DKIM and SPF and if they are not alligned then 100% move the mail to junk.

This is a secure setting but could still generate spoofed spam from your domain.

The strictest settings would be to REJECT instead of quarantine. This would stop people from being able to send mail using your domain. and is the strictest settings possible.

We would like to warn you that having S for ASPF would stop people who forward mail from another server.
An example would be that you send an email: sales@example.com to client@exampleclient.com but their exampleclient.com then forwards it to their hotmail or gmail. This would reject the mail because forwarding doesnt retain SPF records.



tagstrictexplanation
p reject Policy to apply to email that fails the DMARC check. Can be "none", "quarantine", or "reject".  "none" is used to collect feedback and gain visibility into email streams without impacting existing flows.
sp reject Policy to apply to email from a sub-domain of this DMARC record that fails the DMARC check. This tag allows domain owners to explicitly publish a "wildcard" sub-domain policy.
adkim s Specifies "Alignment Mode" for DKIM signatures. "r" is for Relaxed, "s" is for Strict. Relaxed mode allows Authenticated DKIM d= domains that share a common Organizational Domain with an email's header-From: domain to pass the DMARC check. Strict mode requires exact matching between the DKIM d= domain and an email's header-From: domain.
aspf r Specifies "Alignment Mode" for SPF. "r" is for Relaxed, "s" is for Strict. Relaxed mode allows SPF Authenticated domains that share a common Organizational Domain with an email's header-From: domain to pass the DMARC check. Strict mode requires exact matching between the SPF domain and an email's header-From: domain.
rf afrf The reporting format for individual Forensic reports. Can be either "afrf" or "iodef".
pct 100 The percentage tag tells receivers to only apply policy against email that fails the DMARC check X amount of the time. For example, "pct=25" tells receivers to apply the "p=" policy 25% of the time against email that fails the DMARC check. NOTE: you must have a policy of "quarantine" or "reject" for the percentage tag to do anything.
fo 1 Forensic reporting options. Possible values: "0" to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result, "1" to generate reports if any mechanisms fail, "d" to generate report if DKIM signature failed to verify, "s" if SPF failed.
ri 3600 The reporting interval for how often you'd like to receive aggregate XML reports. You'll likely receive reports once a day regardless of this setting.
rua   The list of URIs for receivers to send XML feedback to. NOTE: this is not a list of email addresses, as DMARC requires a list of URIs of the form "mailto:address@example.org". External destination verification is tested if applicable (DMARC Spec section7.1).
ruf   The list of URIs for receivers to send Forensic reports to. NOTE: this is not a list of email addresses, as DMARC requires a list of URIs of the form "mailto:address@example.org". External destination verification is tested if applicable (DMARC Spec section7.1).
  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

Secure IMAP Email Service

We offer two options to access your secure email account on our servers. We only support strong...

Mandrill for Application E-mail delivery

We have been testing new applications and noticed that some users are having issues using...

Apple iOS Profiles (Adding eMail)

Your account has an option to enable auto configuration of email and notes on Apple iPhones and...

eMails on Behalf of

This guide is to help users who have customer that say they are receiving emails "on behalf of...

Apple OSX Profiles (Adding eMail)

Your account has an option to enable auto configuration of email and notes on Apple OSX...