DMARC: Domain-based Message Authentication, Reporting and Conformance
Configuring DMARC for any given domain requires only a DNS entry for that domain, containing machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the requirements.
The DMARC DNS entry for a given domain uses a "_DMARC" subdomain (
_DMARC.<domain>). The explanation of the DNS record contents seems to begin in section 6.3 of RFC-7489.
||how closely to check DKIM configuration ("alignment")|
||how closely to check SPF configuration ("alignment")|
|fo||n||failure [reporting] options|
|Requested Mail Receiver policy|
||% of domain's messages subject to policy
|rf||n||<list of one or more report formats>||Format to be used for message-specific failure reports
|ri||n||<number of seconds>||maximum interval between aggregate reports; default is 86400|
|rua||n||<one or more email addresses, comma-separated>||addresses (DMARC URIs) to which aggregate reports are to be sent|
|ruf||n||<one or more email addresses, comma-separated>||addresses (DMARC URIs) to which message-specific failure information is to be sent|
|sp||n||(same as p; optional)||Requested Mail Receiver policy for all subdomains; defaults to value of p|
||Version - identifies the record retrieved as a valid DMARC record. Must be the first tag.|
documentation in progress
It appears that some large email services (such as GMail) may reject messages if DMARC is not configured in a way they deem suitable; as far as I know, this is not officially documented anywhere (security by obscurity), and proper configuration can only be determined by experimentation.
- 2014-04-07 Yahoo breaks every mailing list in the world including the IETF's: a problem with how DMARC is designed