This guide explains how to set up a DMARC policy for your email hosted by Infomaniak, an essential element to prevent potential delivery issues.

Preamble

• The DMARC (Domain-based Message Authentication, Reporting, and Conformance) protocol enhances the security of your domain by relying on SPF and DKIM checks.
• It instructs recipient servers on how to handle emails that fail these authenticity tests, with three protection policies (None, Quarantine, Reject) detailed below.
• In case of authentication failure, the recipient can send you a DMARC report; this data is essential to identify configuration errors or stop phishing attempts using your domain name.

DMARC Policy and Acceptance Percentage

For the instructions that can be given to recipient servers when a suspicious message is detected, 3 policies (p = policy) exist and can be refined with a percentage (pct):

None (none): The email is delivered normally (observation mode)

With "p=none", no email is rejected or quarantined based on the DMARC verification. However, the reception percentage can be used to collect data on unauthenticated emails, indicating how many of these emails should be subject to the DMARC policy. E.g., "p=none; pct=10" means that 10% of unauthenticated emails will be subject to the DMARC policy, while the remaining 90% will be accepted.

Quarantine (quarantine): The email is sent to spam

With "p=quarantine", unauthenticated emails can be quarantined, but the reception percentage determines the proportion actually subject to this policy. E.g., "p=quarantine; pct=50" means that 50% of unauthenticated emails will be quarantined, while the remaining 50% will be accepted.

Reject (reject): The email is purely and simply blocked/deleted

With "p=reject", unauthenticated emails are rejected. The reception percentage determines the proportion of unauthenticated emails that will actually be rejected. For example, "p=reject; pct=20" means that 20% of unauthenticated emails will be rejected, while the remaining 80% will be accepted.

Create a DMARC Record

There are 2 ways to manage DMARC.

If you have a Mail Service with Infomaniak, the simplest way is to go to the Global Security tool to manage your DMARC security policy and reports:

However, since the DMARC record is a type of DNS record, usually of type TXT, you can also manage it from the DNS zone of the domain name:

1. Click here to access the management of your domain on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the domain in question.
3. Click on DNS Zone in the left sidebar menu.
4. Click the button to add a record:
   
5. Click the radio button DMARC to add a record.
6. Click the Next button:
   
7. Leave (or add if necessary) the value _dmarc in the Source field.

8. The Target field must contain the parameters you wish to use, separated by ;:

   Tag Name	Purpose	Example
   v	Protocol version	v=DMARC1
   pct	Percentage of messages subjected to filtering	pct=20
   ruf	URI for forensic reports	ruf=mailto:authfail@domain.xyz
   rua	URI for aggregate reports	rua=mailto:aggrep@domain.xyz
   p	Policy for the organizational domain	p=quarantine
   sp	Policy for the subdomains of the organizational domain	sp=reject
   adkim	DKIM alignment mode	adkim=s
   aspf	SPF alignment mode	aspf=r

   which can result in, for example, v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com (source)

9. Leave the default value for the TTL.
10. Click the Save button: