In this article, we explain what DMARC is, how it helps to protect you against email impersonation fraud and how you enable it on your domain hosted with one.com.
- What is DMARC?
- How does DMARC help?
- DMARC policies
- DMARC email reports
- Create a DMARC record on your domain
What is DMARC?
DMARC is a validation system that - in combination with SPF and DKIM - helps to prevent email impersonation fraud or spoofing. SPF and DKIM are methods to authenticate an email by checking how it was sent and by who. DMARC then determines what to do with an email that can't be authenticated.
- SPF verifies if an email was sent using approved servers.
- DKIM adds a digital signature to emails, allowing receiving mail servers to verify the email.
- DMARC sets a policy on what to do with emails that fail SPF or DKIM checks.
For DMARC to be useful, you need to have DKIM and SPF enabled for your domain. DKIM is enabled by default for emails using our servers, and you can check our guide on how to enable SPF.
How does DMARC help?
DMARC helps to protect your domain from being used to send phishing and spoofing emails, effectively blocking others from impersonating you or your company.
In combination with SPF and DKIM, DMARC also shows email providers that you are trustworthy and no scammer. This improves overall deliverability, which can be very useful when sending, for example, newsletters.
Note: DMARC only has effect when sending email. It doesn't affect the spam emails you receive in your own inbox. However, if all email accounts implement these validation methods, in theory, spoofing would no longer be possible.
DMARC policies
When you create the DMARC record, you need to choose a policy to determine what happens with emails that fail the DMARC check:
- none: is for monitoring and gathering results without taking action; emails are delivered as usual.
- quarantine: messages that fail the DMARC check are moved to a spam folder or something similar.
- reject: email messages that fail the DMARC check are not delivered at all.
The normal process when selecting policies is to start with "none", then "quarantine", and finally "reject". That way, you can first monitor what emails are sent from your domain, then quarantine to test the effect and finally reject all emails that can't be authenticated.
If you want to follow this procedure, we strongly recommend using an external (paid) service to help you analyse the reports, such as Dmarcian, EasyDMARC, or DMARCLY.
If you just want to enable DMARC, we recommend selecting "quarantine". This delivers unauthenticated emails to the spam folder or marks them as suspicious.
Note: Please be aware that the .ch domain does not allow the DMARC policy to be set to "none".
DMARC email reports
When you create a DMARC record, you also need to enter an email address to receive reports. The reports contain an overview in XML of all email traffic from your domain and which emails fail the DMARC check.
There are two types of reports:
- RUA reports are sent daily and contain an overview of all emails sent from your domain, including IP addresses.
- RUF reports are only sent if an email fails the DMARC check. They contain the original message and message header of the email that failed.
We recommend creating an email account on your domain and using this to receive reports. It's also recommended to get both the RUA and RUF reports.
Note: Not all email providers adhere to DMARC policies, so it's possible that not all mails you sent are listed.
Create a DMARC record on your domain
- Log in to the one.com Control Panel.
- Click DNS settings on the Advanced settings tile.
- Go to DNS records.
- Under Create new record, click TXT.
-
Enter the following details:
- Under hostname enter _dmarc
- Under Value enter the text below while adding your own policy and email address:v=DMARC1; p=policy name; rua=mailto:an-email-address; ruf=mailto:an-email-address
- Leave TTL empty to default to 3600 seconds. - Click Create record to save your settings.
- Wait a few minutes and check if your record is set up correctly with a DMARC record checker.
Example:
In this example we're setting up DMARC on the domain one-example.com. We've chosen quarantine as the policy and entered dmarc-reports@one-example.com as the email address where RUA and RUF reports will be sent to.
Remember to use your own email address and policy when creating the record.v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@one-example.com; ruf=mailto:dmarc-reports@one-example.com
Related articles: