0

I have been under some pressure to produce the DMARC record for one of our customers. Unfortunately, they do not give me access to the domain vendor and instead repeatedly ask "What should they write in their order?".

I am not a domain expert.

This is regarding an email domain the customer has bought.

The domain is mostly green-lit according to MXTools, but it seems to lack the DMARC record.

I prepared some guides using this blog post about what different values in the DMARC record are. But now they are asking me to be even more clear.

Could anyone help me prepare and answer? Is what they are asking reasonable?

Disasterkid
  • 111
  • 3

2 Answers2

4

DMARC is a policy. The record is just a technical presentation of that policy. Therefore, without a policy you cannot write a record. The p=none/quarantine/reject depends on the purpose of the policy: is it just for monitoring email forgeries or actively fighting them? Do they have everything else prepared for the alignment (DKIM or/and SPF passing for all legit email & aligned with the From domain name)?

Most recommend using a p=none with rua= aggregate reports, first, and analysing the reports to eliminate false positives. As it might be laborious and complex to analyse all the XML reports by hand, there are many DMARC report analysers for visualizing the results:

Once all legit mail starts to pass the DMARC alignment, the domain is ready for a stricter policy.

If you want to become a professional who can perform these things on behalf of your customers, you must understand the technologies instead of taking any shortcuts. Some good resources to start with:

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thank you for the material. One question. Does `rua` email have to be under the same domain we are adding the DMARC record to or could it be anything? – Disasterkid Oct 02 '20 at 10:37
  • 1
    The receiver can be external, and it's not necessarily even email based: therefore, in [DMARC URIs](https://tools.ietf.org/html/rfc7489#section-6.2) all email addresess must have the `mailto:` before them! Also, [external destination must be verified](https://tools.ietf.org/html/rfc7489#section-7.1) with an additional `TXT` record in their DNS. – Esa Jokinen Oct 02 '20 at 10:57
  • Ok, since I have no access to the domain manager tool, isn't it, therefore, safer to have it under the same domain? – Disasterkid Oct 02 '20 at 11:01
  • That's exclusively dependent on the circumstances, and cannot be answered here. However, if you use an external service to analyse the reports, follow their instructions on how an in which order to add the records. – Esa Jokinen Oct 02 '20 at 11:03
1

DMARC describes the sender's email policy, which is probably something your client needs to decide on.

A p=reject for instance instructs the receiving MTA to reject any email from your customers domain that fails any DKIM and/or SPF checks. That is something that have can a big impact on mail delivery if set inappropriately.

You can recommend and argue for or against using that value and the same for the values in other DMARC tags.

Your customer then needs to decide.

Once they have decided you can craft the DNS TXT record they need to create in their DNS. That is fairly trivial actually, it is a dns text resource record

_dmarc IN TXT "tag=value[;tag=value ...]”

Or when you don’t use dns short hand

_dmarc.example.com. IN TXT "tag=value[;tag=value ...]”

Rather than applying to the full domain you can create a policy that is limited to email addresses of a sub domain mailbox@sub.example.com too

_dmarc.sub.example.com. IN TXT "tag=value[;tag=value ...]”

The impact of for instance using

_dmarc.example.com.  IN TXT ( "v=DMARC1;p=reject;sp=reject;pct=100;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dmarc-admin@example.com")

Versus

_dmarc.example.net.   IN TXT ( "v=DMARC1;p=none;sp=reject;pct=10;adkim=r;aspf=r;fo=1;ri=86400;rua=mailto:dmarc-admin@example.net")

Can be quite big.

Bob
  • 5,335
  • 5
  • 24
  • Thank you! I will read through this and come back. – Disasterkid Oct 02 '20 at 05:26
  • Thank you again! Knowing the domain is solely used for sending marketing campaign and not receiving, would a policy like this work? `v=DMARC1; p=none; rua=mailto:[EMAIL_ADDRESS_HERE]; fo=1;` – Disasterkid Oct 02 '20 at 10:47
  • And does `rua` email address have to be under the same domain as the one we are adding the DMARC record to? For example, can we be adding a DMARC record to the domain `happymailing.com` while we use `here@breakinggrounds.com` in `rua` to send our reports to? – Disasterkid Oct 02 '20 at 10:50
  • There is no need to use a rua email address in same domain as for which you set up the dmarc record , none of my own domains do. ... – Bob Oct 02 '20 at 11:53