3

All of my systems ask me to set up a DMARC record, and I want to. It seems to be universally recommended now. However, no one will be monitoring the email performance of the website, or would know how to interpret reports if they were generated. The site does have SPF and DKIM records already.

Is it alright and relatively safe to set up a DMARC record with no "rua" tag and no "ruf" tag? I'm thinking of something simple like:

v=DMARC1; p=quarantine; fo=1; pct=100

The result would hopefully be that spoofed email would go to the spam filter (quarantined) but would not be auto-deleted. That seems like the best result, under the circumstances.

If we were to hear that mail was not being delivered as expected (and we could run tests to check), and we found that the messages were indeed in the recipient's spam filter, we could look into it.

Would the results likely be any different with no DMARC record at all?

Is it better to set this up in some way similar to the above (with no rua or ruf), or not publish a DMARC record at all?

Please help me to understand the options, and any reasons why this might be a bad idea!

I don't know much about DMARC records, despite having tried to read about them, but as a web developer I am tasked with setting them up.

Halfgaar
  • 7,921
  • 5
  • 42
  • 81
hommealone
  • 31
  • 1
  • Question appears to assume no implications beyond spam filtering itself. I could treat your mail the same, yet adapt manual mitigations. Rejected valid message based on my heuristics? My job to find a long term solution. Failed DMARC despite you signalling compliance? You go fix your setup, else it might happen again. – anx Apr 16 '22 at 19:01
  • It also appears to be *universally recommended now* to not run an internet (mail) server if "no one will be monitoring". – anx Apr 16 '22 at 19:03
  • You can. But at some point, when you're confident that everything is working correctly, you should go to "p=reject". If some spammer is spoofing your domain in their From: headers, your domain will get the reputation for being a spammer, not theirs - all the user knows is they're always seeing yourdomain.com in the spam folder. They're not going to look at the other headers to find out where the spam is actually coming from. – HiredMind May 04 '22 at 16:45

3 Answers3

1

Your header can be shortened:

v=DMARC1; p=quarantine

You're enabling reports with fo, but if you don't have addresses, there's no point. And yes, having a DMARC record without RUA or RUF is fine and legitimate.

But, you may try p=none. You can then look at the mail headers of people who receive mail from you to see if DMARC passed. If you do 'show original' in Gmail, it will summarize DMARC status in an easy to read format.

Note: for receivers who use Microsoft Office 365, the p=reject is pointless:

If the DMARC policy of the sending server is p=reject, Exchange Online Protection (EOP) marks the message as spoof instead of rejecting it. In other words, for inbound email, Microsoft 365 treats p=reject and p=quarantine the same way.

If you do want RUA/RUF, you can use a service like Dmarcian to aggregate them for you.

Halfgaar
  • 7,921
  • 5
  • 42
  • 81
1

for a parked domain, it's standard practice to set up dmarc with p=reject with an empty spf. this way no one can send emails from that domain.

so to answer your questions: yes it is ok to set it up that way, but whether or not it makes sense depends on the use case.

ricknroll
  • 11
  • 1
0

Not the exact same question, but the answer here should answer your question: What does rua and ruf stand for in the DMARC spec?

To directly answer your question, neither are "required". Meaning you could even set the email addresses as dummy addresses. But in real world practice, you should at least use the RUA to get some kind of understanding of how your DMARC records are affecting email and to be able to use that information as you see fit.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • Here again, I do understand that adding RUA would be better ideally, but there will be no one to receive and interpret the RUA results, so I still don't see a point in having them generated, where they will serve only to clog someone's mailbox. I'm trying to understand: in this imperfect situation, does the DMARC record with no reporting accomplish anything? – hommealone Mar 28 '22 at 20:52
  • @hommealone - It can still be used to accomplish things like checking for spoofed addressing and similar. See here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide but basically like you say in your original email that you can still use it to accomplish things like quarantine on failure, set rules for pass/fail, etc. without the reporting aspects. – TheCleaner Mar 28 '22 at 20:56