DMARC's meaning is Domain-based Message Authentication Reporting and Conformance
What's the purpose of DMARC ?
DMARC's purpose is to tell the world how to correctly identify your emails, and how to handle the unauthorized use of your domain in incoming e-mails. More precisely, it instructs receiving e-mail servers what to do with an e-mail alledgedly coming from your domains when either SPF or DKIM or both fail. It is also a tool for sending domains to exercise Reputation Monitoring and identify sources of spoofing for example to tackle BEC (Business E-Mail Compromise).
What are the benefits of DMARC for the e-mail I send ?
Receiving e-mail systems that honour DMARC will quickly identify your e-mails sent through Planisys as legit, improve your deliverability and Inbox landing, lowering the risk of somebody else stealing your identity.
What are the benefits of DMARC for the e-mails I receive ?
If you use AVAS SEG you will feel more comfortable knowing that you receive e-mail from authenticated sources in your Inbox, and dubious e-mails will be placed either in the Spam folder or directly in the Quarantine if they look very suspicious. DMARC at AVAS-SEG will protect you from scammers, phishing, Business e-Mail Compromise, sites sending Malware or Ransomware, etc.
How can someone send e-mail under my name ?
E-mails are nothing but text files transmitted from one end to another that intend to be messages. They consist of a head and a body. Within the head there are two headers: Return-Path and From to identify the sender. A malicious sender could use an e-mail address of his own in the Return-Path , and your e-mail address in the From. The receiver will see at a glance only the From header content (that is, your e-mail address), and will most likely oversee the Return-Path (the malicious sender).
How can I enable a third party like Planisys to send legit e-mails in behalf of my domain ?
Planisys enforces the use of DMARC by letting you create a sub-domain, e.g. like sub1.domain.com, relate it through a CNAME DNS record to our bounce processor and SPF policies, and specifying DMARC alignment via subdomain. This way we use your subdomain in the Return-Path and your e-mail in the From, which are DMARC-aligned. We at Planisys configure in the DNS all these into your domain. We typically ask our customers to configure the following CNAME record for bounce processing: nl.domain.com. IN CNAME bounces.planisys.net.
Do technologies like SPF, DKIM and DMARC prevent this abuse ?
Only DMARC prevents this kind of abuse of the From header. SPF and DKIM relate to the Return-Path and do not address this problem.
How does DMARC relate to SPF and DKIM ?
DMARC requires that the domain used in the e-mail address of the Return-Path and the domain used in the DKIM-Signature header are related.
How do I check if my SPF,DKIM and DMARC settings are correct ?
Planisys has a free tool to check these settings, please click here to access check_domain
How do others become aware of my domain policies ?
By publishing a DNS (Domain Name System) record of type TXT called _dmarc.domain.com
A typical record would be: "v=DMARC1; p=reject; rua=mailto:dmarcrua@bounces.planisys.net; ruf=mailto:dmarcruf@bounces.planisys.net; fo=1; aspf=r; pct=100; rf=afrf; ri=86400"
The rua and ruf parameters tell receiving e-mail servers where to send Aggregate Reports and Forensic Reports
The rf parameter specifies afrf which stands for Authentication Failure Reporting Format
The fo parameter with a value of 1 specifies that a report should be sent if either SPF or DKIM checks do not pass.
The pct parameter with a value of 100 specifies that the policy should be applied to 100% of your e-mail
The aspf parameter with a value of r (Relaxed instead of s meaning Strict) treats SPF alignment of subdomains and permits the use of CNAME records in the return-path domains
What is SPF ?
SPF stands for Sender Policy Framework. It is a DNS record of type TXT that indicates which IP addresses are authorized to send e-mail in behalf of a specific domain. It affects the so-called Return-Path or envelope e-mail address of an e-mail. The Return-Path is also referred to as the Envelope e-mail address and might differ from the e-mail address that the users sees in the From: which is the one usually shown by e-mail clients. Most e-mail client will not show the Envelope unless you request to view Full Headers.
What SPF settings do I need if my domain sends part or all mail through Planisys ?
If you have your mail sent through more than one provider and Planisys is one of them, make sure to have include:spf.planisys.net in your SPF record. If, one the other hand ALL of your e-mail is being sent by Planisys relays, make sure that your SPF record is exactly this one: v=spf1 include:spf.planisys.net -all
What is DKIM ?
DKIM stands for DomainKeys Identified Mail. It is a DNS record of type TXT that publishes a public-key that is used to verify an inbound e-mail against a signature that has been placed when the e-mail originated by signing it with the corresponding private key (that only the sender knows).
What DKIM settings for the email being sent by Planisys ?
If you have your mail sent through more than one provider and Planisys is one of them, make sure to have different selectors in order to identify different sources of e-mail. The default for Planisys, altough it can be overriden through AVAS and MTMail settings is the following record:
selector1._domainkey.domain.com. IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7ntU5qfHkSQOz1aKv2uT3oTFA1/h0v2dNTSBpEO1AUJNhiwNa07yqwwKnmzTHCVULhIHqIbN8xw3RLDMOhhUsSywONfrSX+7wg9KLdZlR3tkkQa7weRtwrPag++nOtjSvGpoX+GFuCHh/HpxxYctOE/sQGw0vJTOmz3XWskUm5QIDAQAB"
The string after p= is a base64 RSA encoded Public Key whose correspondent Private Key is secretly held by Planisys to sign outbound emails of your domain.
If you want to make things easier and avoid copy-pasting this large key, you can opt for a simplified equivalent DNS setting: selector1._domainkey.domain.com. IN CNAME selector1._domainkey.planisys.net.
What's a domain policy inside DMARC ?
You instruct the world what to do when they have to handle unauthorized e-mail claiming to originate in your domain, through these three possible policies regarding the From header of e-mails:
p=none: Do nothing, just monitor the traffic
p=quarantine: Send unauthorized e-mail to Spam or Junk folder
p=reject: Reject unauthorized e-mail
Does Planisys' AVAS SEG protect me from bad domains failing DMARC ?
The answer is yes but you have to turn on aggressive mode and MTA Spam-Level=High. You have to choose whether you want AVAS SEG to honour DMARC or not, as you might be interchanging commercially important e-mails with organizations that have poorly configured e-mail systems and you wouldn't want to miss them. If, on the other hand you want to be well protected from phishing, you should definitely make AVAS SEG honour DMARC to detect unauthorized e-mails from other domains.
Do all e-mail systems handle unauthorized e-mail from my domain according to published DMARC ?
The answer is unfortunately no. Not every e-mail system in the world is going to comply with DMARC, but major e-mail providers like G-Suite, and Yahoo will. Office365 is regrettably among the providers that will let non-DMARC compliant e-mails get through.Planisys complies with DMARC.