This guide explains how to implement a DMARC policy for your email hosted by Infomaniak, an essential element for preventing potential email delivery issues.

Preamble

• DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a crucial tool for enhancing email security and protecting your domain against fraud by verifying the authenticity of outgoing emails (through authentication mechanisms such as SPF and DKIM) and allowing you to define policies for handling unauthenticated emails.
• DMARC specifies to other email providers what they should do when they reject an email due to incorrect or missing SPF or DKIM.
• To do this, domain owners can define DMARC policies, such as "reject", "quarantine" or "none", to specify how these "suspicious" emails should be handled. Example:
  1. An email is sent from anna@domain.xyz to victor@yahoogle.abc.
  2. The Mail Service of domain.xyz contains a DMARC configuration of type reject at 100%.
  3. The Mail Service of yahoogle.abc is well secured and proceeds with the SPF/DKIM/DMARC analysis of the email arriving from domain.xyz.
  4. If this analysis results in a failure of SPF or DKIM, then the Mail Service of yahoogle.abc will reject (i.e., delete) the message.
  5. It will send a report by email if a report address is specified in the DMARC of domain.xyz.
     • These DMARC reports generated help you maintain and improve the security of your domain; you will be able to identify any authentication errors and phishing attempts using your domain.

DMARC Policy and Acceptance Percentage

For the instructions that can be given to recipient servers when a suspicious message is detected, 3 policies (p = policy) exist and can be refined with a percentage (pct):

none

With "p=none", no email is rejected or quarantined based on DMARC verification. However, the reception percentage can be used to collect data on unauthenticated emails, indicating how many of these emails should be subject to the DMARC policy. For example, "p=none; pct=10" means that 10% of unauthenticated emails will be subject to the DMARC policy, while the remaining 90% will be accepted.

quarantine

With "p=quarantine", unauthenticated emails can be quarantined, but the reception percentage determines the proportion actually subject to this policy. For example, "p=quarantine; pct=50" means that 50% of unauthenticated emails will be quarantined, while the remaining 50% will be accepted.

reject

With "p=reject", unauthenticated emails are rejected. The reception percentage determines the proportion of unauthenticated emails that will actually be rejected. For example, "p=reject; pct=20" means that 20% of unauthenticated emails will be rejected, while the remaining 80% will be accepted.

Create a DMARC Record

There are 2 ways to manage DMARC.

If you have a Mail Service with Infomaniak, the simplest way is to go to the Global Security tool to manage your DMARC security policy and reports:

However, since the DMARC record is a type of DNS record, generally of type TXT, you can also manage it from the DNS zone of the domain name:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the product concerned.
3. Click on DNS Zone in the left sidebar.
4. Click the button to add a record:
   
5. Click on the radio button DMARC to add a record.
6. Click on the button Next:
   
7. Leave (or add if necessary) the value _dmarc in the Source field.

8. The Target field must contain the parameters you wish to use, separated by ;:

   Tag Name	Purpose	Example
   v	Protocol version	v=DMARC1
   pct	Percentage of messages subject to filtering	pct=20
   ruf	URI report for forensic reports	ruf=mailto:authfail@domain.xyz
   rua	URI report for aggregated reports	rua=mailto:aggrep@domain.xyz
   p	Policy for the organizational domain	p=quarantine
   sp	Policy for subdomains of the organizational domain	sp=reject
   adkim	DKIM alignment mode	adkim=s
   aspf	SPF alignment mode	aspf=r

   which can give for example v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com (source)

9. Leave the default value for TTL.
10. Click on the button Save: