DMARC is a mechanism that tells the receiving mail server how to treat mail messages that fail SPF and/or DKIM checks.
Here’s how it works:
1. The domain owner creates a DMARC DNS record that defines the DMARC policy for the domain. This record allows you to set the following parameters:
• Policy (p) – What to do with messages that fail DKIM/SPF checks, with possible values of none, quarantine, and reject.
• Subdomain policy (sp) – Same as the policy, but applies to mail subdomains.
• Percent of emails to apply this policy to (pct). – Possible values: 0-100.
• Email for aggregate reports (rua) – An email address that will receive aggregate DMARC feedback. These reports are designed to provide domain owners with precise insight into authentication results, corrective actions that need to be taken by domain owners, and the effect of the domain owner’s DMARC policy on email streams processed by mail receivers.
• Email for forensic reports (ruf) – An email address that will receive redacted copies of individual emails that failed SPF, DKIM, or both checks.
• DKIM/SPF matching (adkim, aspf). Allows you to set either relaxed (r) or strict (s) matching between the domain in the From: header with domains in the Received-SPF: and Authentication-Results: headers.
For example:
Code:
_dmarc.domain.com TXT "v=DMARC1;p=quarantine;pct=100;rua=mailto:[email protected]"
2. When another mail server receives a message from someone at domain.com, it passes through SPF and DKIM checks first. Then, if the server supports DMARC enforcement for incoming messages, the mail server compares the domain name from the From: header with the domain from the Received-SPF: and Authentication-Results: headers.
3. If either check fails, the receiving mail server will enforce the policy defined in domain.com’s DMARC record.
In Plesk Onyx default DMARC policy is defined in the server’s DNS template (Tools & Settings > DNS Template) as follows:
Domain owners can re-define the DMARC policy for their domains by editing this record in their DNS zone.