DMARC is a technology which enables a domain owner to
- receive information about how well that domain's messages are authenticating when received by DMARC participants such as Google, Yahoo, Netease, Mail.Ru, Comcast, and others
- see what messages are being sent making use of the domain in the From: header, legitimate or fraudulent
- publish a policy requesting what those DMARC participants do with messages failing authentication via SPF or DKIM
In order to achieve good feedback making any of this possible, you must publish a DMARC record. This involves a simple additional entry in DNS for your domain, indicating the desired actions.
An example of the most basic entry required to work properly with Agari:
_dmarc.mydomain.com TXT "v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; fo=1;"
The important components here:
- the DNS entry location
- the DNS entry type
- the Policy you are requesting that ISPs apply to messages which they detect fails DMARC. To start with, the example is set to 'none' - no action is taken on any messages
- the address to which the DMARC reporter (Google/Comcast/Yahoo/etc) sends daily aggregate data in XML format
- the address to which the DMARC reporter sends Forensic data, to help you diagnose just what is wrong with the authentication, or to see just what the fraudulent message is. This is usually just a few headers, sometimes any URLs which the message body contained. Sometimes this is the full message body
The target address specified in the RUA and RUF entries may vary based on your organization name. See the Agari portal's DMARC-builder tool when you log into your account: https://my.agari.com/dmarc_builder/lookup