DMARC

By on

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a greatest advance in email authentication. DMARC can help you monitor fraudulent or spoofing emails from untrusted sources, or even block these spam before it reaches the inbox (spam box).

Postmark provides a DMARC analytics service which will send you a weekly report digest about emails sending from your domain.

After setting up DMARC record, you can use the following command to verify your record:

$ dig +short _dmarc.sparanoid.com txt

Then you can send fake emails to test if your DMARC record works:

Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning [email protected] does not designate 12.34.56.78 as permitted sender) [email protected];
       dmarc=fail (p=NONE dis=NONE) header.from=sparanoid.com

When you set p=quarantine in your DMARC record your fake emails would be marked as spam:

Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning [email protected] does not designate 12.34.56.78 as permitted sender) [email protected];
       dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=sparanoid.com

And you will get the following warning in Gmail web app:

Why is this message in Spam? It has a from address in sparanoid.com but has failed sparanoid.com’s required tests for authentication.

You can also set p=reject to delete the message even before it reaches the user’s inbox. All emails fail the DMARC authentication will be rejected and never reach the inbox or spam box.

If everything goes well you should get the all-pass result, a test email sent from Postmark:

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates 12.34.56.78 as permitted sender) [email protected];
       dkim=pass [email protected];
       dmarc=pass (p=QUARANTINE dis=NONE) header.from=sparanoid.com

You can read more information about DMARC at dmarc.org.