DMARC

ADSP Replacement

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is meant to replace Author Domain Signing Practices (ADSP) adding reporting capability. DMARC is not a IETF standard yet!

DNS TXT RR record for DMARC is:

 _dmarc.<domain_name> IN TXT "tag;tag;..."

where tags are

• “adkim=” - alignment mode for DKIM: “s” - for strict (FQDN match for “d=<domain>” and RFC 5322.From) or “r” - for relaxed (Organizational domain match only).
• “aspf=” - alignment mode for SPF: “s” - for strict (FQDN match) or “r” - for relaxed (Organizational domain match).
• “fo=” - failure reporting options:
  • 0 - generates a DMARC failure report if all underlying authentication mechanisms fail to produce an aligned “pass” result.
  • 1 - generates a DMARC failure report if any underlying authentication mechanism produced something other than an aligned “pass” result.
  • d - generates a DKIM failure report if the message had a signature that failed evaluation, regardless of its alignment.
  • s - generates an SPF failure report if the message failed SPF evaluation, regardless of its alignment.
• “p=” - requested Mail Receiver policy. Policy applies to the domain queried and to subdomains, unless subdomain policy is explicitly described using the “sp” tag. Possible values are:
  • none - the Domain Owner requests no specific action be taken regarding delivery of messages.
  • quarantine - the Domain Owner wishes to have email that fails the DMARC mechanism check be treated by Mail Receivers as suspicious. Depending on the capabilities of the Mail Receiver, this can mean “place into spam folder”, “scrutinize with additional intensity”, and/or “flag as suspicious”.
  • reject - the Domain Owner wishes for Mail Receivers to reject email that fails the DMARC mechanism check. Rejection SHOULD occur during the SMTP transaction.
• “pct=” - percentage of messages from the Domain Owner’s mail stream to which the DMARC policy is to be applied. NOT be applied to the DMARC-generated reports
• “rf=” - format to be used for the reports. Default is afrf described in RFC 6591
• “ri=<sec>” - requested intervals between aggregate reports in seconds
• “rua=<comma-separated email_addresses>” - emails where reports to be sent
• “ruf=<comma-separated email_addresses>” - emails where message-specific errors to be reported
• “sp=” - the same as “p=” but applied to subdomains only. If absent, then “p=” should be applied to all.
• “v=DMARC1” - version.