DMARC record
DMARC is a system that adds some rules for DKIM and SPF, so remote servers have a better idea of what your intention is for messages that fail those 2 systems.
DMARC requires both the SPF and DKIM to be present in order to work.
Contents
SPF - Sender Policy Framework
Anything that contains the word "framework" is typically crap. Here's more crap we're stuck with.
SPF allows administrators to specify which hosts are allowed to send email from a given domain by creating a specific DNS SPF record in the public DNS.
Mail Exchanger (MX records) then uses the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrator.
You set up SPF in your domain name at the DNS server. Create a TXT entry in the DNS records of your domain.
Here is an example of a most simple SPF record
v=spf1 a -all
Here is a more complex example
v=spf1 a include:_spf.crap.com ip4:123.45.67.8 -all
Only "include" existing SPF records. If there is no SPF for crap.com then don't do it like the example above.
Often an SPF record can be condensed down to something like v=spf1 ip4:x.x.x.x -all if there is only one outgoing mail server.
v=spf1 ip4:123.45.67.8 -all
Without the "a" then it will deny. This is how you specify a server that does not send mail.
SPF's purpose is to publish a list of outgoing mail servers. Any servers that do not deliver mail to the world, such as web servers or incoming-only mail servers, should not be listed.
If the IP address of your outgoing server is covered by an a, ip4, or other mechanism, it is not necessary to reference that server again using the mx mechanism in the SPF text DNS entry. Specifying mx:mailserver.example.com is generally incorrect.
Based on my current understanding, if you have 1 mail server which both sends and receives mail for many domains:
v=spf1 a include:_mailservername.com ip4:123.45.67.8 -all
The name of the mail server and the IP address of the mail server should be used.
SPF Testing Utility Online - http://tools.bevhost.com/spf/
Again, for domains that send no email you should do this:
v=spf1 -all
DKIM - Domain Key Identified Mail
DKIM uses a key pair, consisting of a public key and a private key. Again more confusing and overly complicated crap!
One key, the "Private Key", is kept safe by the email author. The other key, a "Public Key" permits anyone to verify that a signature made with the corresponding Private Key is valid. DKIM uses DNS to publish the Public Keys, so that any party that wants to validate a signature can easily find the public key.
In your mail server outbound messages will need to pass through a filter that will generate the corresponding signature and store it in an email header.
DMARC - Domain-based Message Authentication, Reporting and Conformance
A DMARC policy allows a sender to indicate that its emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes.
references
- http://techarena51.com/index.php/what-is-dmarc-and-how-you-can-add-it/
- http://www.openspf.org/FAQ/Common_mistakes
To add a DMARC record, go to your domain's DNS Management,
