How do I enable DMARC and configure records?

This article covers how to create the DMARC Record, review verification settings, and configure records.

DMARC defines a scalable mechanism by which a mail sending organization can express, using the Domain Name System, domain level policies and preferences for message validation, disposition, and reporting, and a mail receiving organization can use those policies and preferences to improve mail handling. The DMARC specification and full details about what it does and how it works can be found here: www.dmarc.org.


Creating the DMARC Record

The DMARC record is a DNS TXT record entered into DNS.

  • If the primary domain name is domain.com the Host name of the TXT record will be _dmarc.domain.com

The TXT value of the record contains the policy type and optional reporting features.

  • For a detailed description of the policy of the TXT record format, please click the link below.
    DMARC Record Format

Follow the steps below to review DMARC verification settings and choose options in regards to DMARC handling and reporting.

  1. Select Security
  2. Select Security Settings
  3. Expand Sender Authentication
  4. Select Enable DMARC verification and reporting
    mdaemon email server dmarc main menu for enhanced sender authentication

  5. The following DMARC settings are enabled by default;
    mdaemon email server default dmarc verification settings menu
    • Enable DMARC verification and reporting
    • Don't verify messages from authenticated sessions
    • Don't verify messages from trusted IP
    • Cache DMARC records
    The cached records and white list buttons are also listed here.

  6. When verifying DMARC records for incoming mail, the following options are available.
    • Honor p=reject when DMARC produces a 'FAIL' result will end SMTP sessions when DMARC verification fails for incoming messages. 
      mdaemon email server dmarc verification message disposition menu

    • Filter messages which fail the DMARC test into Junk E-Mail folders will route all messages that fail DMARC verification to the user's Junk Email folder. 
      mdaemon email server dmarc verification message disposition option filter failed messages to junk e-mail folder
      • When this is enabled, MDaemon will ask if it should create a IMAP filter rule for all users to route DMARC failed messages to the Junk Email folder.
        mdaemon email server verification for creating a imap filter rule
      NOTE** If Honor p=reject when DMARC produces a 'FAIL' result is selected as well, messages will not be routed to the junk email folder as the sessions are terminated at the SMTP session.
  7. Select DMARC Reporting
  8. Check Send DMARC aggregate reports to enable the sending of DMARC aggregate reports to domains that request them.
    mdaemon email server dmarc reporting tool for sending out aggregate and failure reports
    • With this option enabled, the MDaemon server will send aggregate reports to the address defined in the rua= entry of the public DMARC record of the sending domain.
  9. Select Send DMARC failure reports (reports are sent as incidents occur) to have MDaemon submit failure reports to domains which contain the ruf= entry in the sender's public DMARC record.
    mdaemon email server dmarc reporting tool for sending out aggregate and failure reports

  10. The DMARC Report Meta-Data contains the following information given when submitting these reports. These can be modified as needed.
    • Organization Name
    • Contact email
    • Contact information
    • Report return-path

      mdaemon email server dmarc report editor used for sending dmarc reports
  11. Select DMARC Options to view the various options that can be enabled regarding DMARC logging and reporting.
    • DKIM canonicalized headers are included in DMARC failure reports
      This includes DKIM headers of the failed message in the DMARC failure report to the domain that requested it
      mdaemon email server dmarc settings to include canonicalized headers in dmarc failure reports

    • DKIM canonicalized body is included in DMARC failure reports
      This includes the body of the failed message in the DMARC failure report to the domain that requested it. 
      15dmarc02
    NOTE** The above options are useful for debugging, however, they do reveal email content when sending failure reports.

  12. Replace Reserved IPs in DMARC reports with 'X.X.X.X' is enabled by default to conceal reserved IPs in DMARC reports.
    15dmarc03

  13. Refuse to accept messages if 'From' is incompatible with DMARC (disabled by default). 
    mdaemon email server dmarc option to refuse to accept messages if from header is incompatible with dmarc
  14. Select Insert 'Precedence: bulk' header into DMARC report emails to have MDaemon add the header in DMARC reports.
    mdaemon email server dmarc setting to insert "precedence: bulk" headers into DMARC report messages
  15. Include full DMARC records in log file is enabled by default to include DMARC queries in the log file.
    mdaemon email server dmarc settings to include full dmarc records in log files

  16. Automatically update public suffix file if it's older than this many days is enabled by default and set to 15 days.
    mdaemon email server dmarc settings to auto-update public suffix file after a period of time
    • The public suffix file is the record MDaemon will download to use with DMARC.
    • The default file MDaemon uses is located at http://publicsuffix.org/list/effective_tld_names.dat
  17. Select Update public suffix file now to have MDaemon update the suffix file in the URL specified.
    mdaemon email server dmarc settings butotn to update public suffix file now