MDaemon 14.5.x - How to enable DMARC and configure records
DMARC defines a scalable mechanism by which a mail sending organization can express, using the Domain Name System, domain level policies and preferences for message validation, disposition, and reporting, and a mail receiving organization can use those policies and preferences to improve mail handling. The DMARC specification and full details about what it does and how it works can be found here: www.dmarc.org.
Creating the DMARC Record
The DMARC record is a DNS TXT record entered into DNS.
- If the primary domain name is domain.com the Host name of the TXT record will be _dmarc.domain.com
The TXT value of the record contains the policy type and optional reporting features.
- For a detailed description of the policy of the TXT record format, please click the link below.
DMARC Record Format
Follow the steps below to review DMARC verification settings and choose options in regards to DMARC handling and reporting.
- Select Security
- Select Security Settings
- Expand Sender Authentication
- Select DMARC Verification
- The following DMARC settings are enabled by default;
- Enable DMARC verification and reporting
- Don't verify messages from authenticated sessions
- Don't verify messages from trusted IP
- Cache DMARC records
The cached records and white list buttons are also listed here.
- When verifying DMARC records for incoming mail, the following options are available.
- Honor p=reject when DMARC produces a 'FAIL' result will end SMTP sessions when DMARC verification fails for incoming messages.
- Filter messages which fail the DMARC test into Junk E-Mail folders will route all messages that fail DMARC verification to the user's Junk Email folder.
- When this is enabled, MDaemon will ask if it should create a IMAP filter rule for all users to route DMARC failed messages to the Junk Email folder.
NOTE** If Honor p=reject when DMARC produces a 'FAIL' result is selected as well, messages will not be routed to the junk email folder as the sessions are terminated at the SMTP session.
- Select DMARC Reporting
- Check Send DMARC aggregate reports to enable the sending of DMARC aggregate reports to domains that request them.
- With this option enabled, the MDaemon server will send aggregate reports to the address defined in the rua= entry of the public DMARC record of the sending domain.
- Select Send DMARC failure reports (reports are sent as incidents occur) to have MDaemon submit failure reports to domains which contain the ruf= entry in the sender's public DMARC record.
- The DMARC Report Meta-Datacontains the following information given when submitting these reports. These can be modified as needed.
- Organization Name
- Contact email
- Contact information
- Report return-path
- Select DMARC Options to view the various options that can be enabled regarding DMARC logging and reporting.
- DKIM canonicalized headers are included in DMARC failure reports
This includes DKIM headers of the failed message in the DMARC failure report to the domain that requested it
- DKIM canonicalized body is included in DMARC failure reports
This includes the body of the failed message in the DMARC failure report to the domain that requested it.
NOTE** The above options are useful for debugging, however, they do reveal email content when sending failure reports.
- Replace Reserved IPs in DMARC reports with 'X.X.X.X' is enabled by default to conceal reserved IPs in DMARC reports.
- Include full DMARC records in log file is enabled by default to include DMARC queries in the log file.
- Automatically update public suffix file if it's older than this many days is enabled by default and set to 15 days.
- The public suffix file is the record MDaemon will download to use with DMARC.
- The default file MDaemon uses is located at http://publicsuffix.org/list/effective_tld_names.dat
- Select Update public suffix file now to have MDaemon update the suffix file in the URL specified.