DNS Tools: How to add a DMARC-record

Step 1:

With DMARC, you can make recommendations on how a recipient server should handle an email in the event of SPF and DKIM violations. You also have the option of being informed in the event of violations.

The DNS entries for SPF and DKIM for use with our mail server are created by default.

If you send your emails via external mail servers, adapt the standard SPF to your requirements beforehand and store the public DKIM key of the external mail server.

Please follow these instructions first:

SPF
DKIM (in case of using an external email server)

Step 2:

The following DMARC entry is set by default:

v=DMARC1; p=none;

This means that no action is taken in the event of a violation.

These instructions describe how you can adjust the default DMARC entry or create a new entry if it does not exist.

Step 3:

Log in to your KAS (Technical Administration) and click the menu item Tools -> DNS Settings.

Step 4:

Edit the domain for which you want to make DNS changes.

Step 5:

Click on Edit for the existing DMARC entry.

Step 6:

If no DMARC entry is available, click on Add a new DNS record.

Step 7:

The Name is always "_dmarc". The DNS record Type for DMARC is "TXT". A Priority doesn't exist. The record in the Data/Value field can look like this for instance:

v=DMARC1; p=reject; rua=mailto:mail@ihre-domain.de; ruf=mailto:mail@ihre-domain.de; adkim=s; aspf=r

Parameter and value must be stated with an equality sign (=) without spaces in between and must be closed by semicolon (;).

required parameters:

v = indicates the DMARC version, must include the value "DMARC1" and needs to be placed at first position

p = indicates the rule for the domain of how the recipient server should handle the email in case of violations against SPF and DKIM, the following values are possible:

none - no measures
quarantine - the affected email should be handled as suspicious and will get marked or moved to the spam folder
reject - the affected email should be declined

optional parameters:

sp = indicates the rule for the subdomains

pct = indicates the number of email messages in percentage terms for which the DMARC rule should be applied, default is 100%

rua = indicates the list of email addresses (comma separated) to which the overall report should be sent

ri = indicates the max. interval in seconds between the sending of each overall report, default is "86400" seconds = 24 hours

ruf = indicates the list of email addresses (comma separated) to which a detailed report about the email messages should be sent that have failed the DMARC score

rf = indicates the format for detailed reports, default is "afrf" which is currently the only supported format

fo = indicates options for the detailed report, options are "0", "1", "d" and "s", multiple options are separated by colon, e.g. "fo=0:s", default is "fo=0"

fo=0 - generates a report in case of a violation against SPF and DKIM
fo=1 - generates a report in case of a violation against SPF or DKIM
fo=d - generates a report in case of a violation against DKIM
fo=s - generates a report in case of a violation against SPF

adkim = alignment mode DKIM, default is "r"

s (strict mode) - the domain in the DKIM signature and the domain which is stated as FROM in the email's header must be equal
r (relaxed mode) - a subdomain is also allowed

aspf = alignment mode SPF, default is "r"

s (strict mode) - the domain which is stated as FROM in the email's header and the domain which is stated in the so-called SMTP envelope must be equal
r (relaxed mode) - a subdomain is also allowed


additional notice on "rua" and "ruf":

If the email addresses to which the reports are sent to belong to another domain, then the other domain requires a DNS record for verification purposes.

If the DMARC record is valid for the domain example.com for instance and the email addresses belong to your-domain.net, then the following DNS record must be determined for your-domain.net:

example.com._report._dmarc.your-domain.net TXT "v=DMARC1"