Syntax
wie ist ein DMARC-Record aufgebaut?
Version
TAG: "v"
The version tag defines the record as a DMARC record. There are only 2 things to consider:
This tag must be the first in the record.
A valid version must be defined. (Currently only 'DMARC1')
Example: "v=DMARC1"
Policy
TAG: "p"
The policy tag determines what the recipient of the mail should do as if a mail fails the DMARC check.
This tag must be in the second position in the record.
The possible values for p:
| none | Mails that have not passed the DMARC check are delivered normally. This option does not offer any spoofing protection and should only be used for monitoring. |
| quarantine | Mails that have not passed the DMARC check are delivered and marked as spam. |
| reject | Mails that did not pass the DMARC check will not be delivered. |
Example: "p=quarantine"
Subdomain policy
TAG: "sp"
The subdomain policy tag determines what the recipient of the mails from a supdomain should do if it fails the DMARC check.
This tag is optional. If no value is defined, the sub-policy is the same as the normal policy.
The possible values for sp:
| none | Mails that have not passed the DMARC check are delivered normally. This option does not offer any spoofing protection and should only be used for monitoring. |
| quarantine | Mails that have not passed the DMARC check are delivered and marked as spam. |
| reject | Mails that did not pass the DMARC check will not be delivered. |
Example: "sp=reject"
RUA
TAG: "rua"
The RUA tag contains various addresses to which aggregate reports are to be sent.
Different URIs can be defined as addresses. Please note that only URIs in the 'mailto:' scheme have to be processed.
Addresses are listed separated by commas (,). More than 2 addresses are not recommended, as only two are guaranteed to receive reports.
If a domain is defined in an address that does not match the domain of the DMARC, you must ensure that this third-party domain allows the receipt of reports. For this you can add a simple DMARC ('v = DMARC1') under 'domain._report._dmarc.externaldomain.com'
Alternatively, a wildcard can be set up under '* ._ report._dmarc.externaldomain.com'. However, this accepts DMARC reports for all domains.
This tag is optional.
Example: 'rua=mailto:info@example.com'
RUF
TAG: "ruf"
The RUF tag contains various addresses to which forensic reports are to be sent.
Different URIs can be defined as addresses. Please note that only URIs in the 'mailto:' scheme have to be processed.
Addresses are listed separated by commas (,). More than 2 addresses are not recommended, as only two are guaranteed to receive reports.
If a domain is defined in an address that does not match the domain of the DMARC, you must ensure that this third-party domain allows the receipt of reports. For this you can add a simple DMARC ('v = DMARC1') under 'domain._report._dmarc.externaldomain.com'
Alternatively, a wildcard can be set up under '* ._ report._dmarc.externaldomain.com'. However, this accepts DMARC reports for all domains.
This tag is optional.
Example: 'ruf=mailto:info@example.com'
Aggregate interval
TAG: "ri"
The RI tag specifies the interval at which aggregate reports are to be delivered.
The standard value is 24 hours.
The time span is given in seconds.
Report creators act according to their own conscience and cannot guarantee that reports will be delivered in under 24 hours.
This tag is optional.
Example: "ri=172800"
Forensic format
TAG: "rf"
The RF tag determines the format in which forensic reports are created.
Currently 'afrf' is the only valid format. This is also the standard value.
This tag is optional.
Example: "rf=afrf"
Forensic settings
TAG: "fo"
The FO tag contains the settings for creating error reports.
Several options can be selected. These are separated by ':'.
A valid RUF tag must be defined so that 'fo' can be used.
The default value is 0.
This tag is optional.
| 0 |
An error report is created if DKIM- and SPF-Check do not produce a 'pass' result. |
| 1 |
An error report is created as soon as the DKIM and / or SPF check do not produce a 'pass' result. |
| d |
Generates a DKIM failure report, regardless of the DKIM alignment. |
| s | Generates a SPF failure report, regardless of the SPF alignment. |
Example: "fo=1:d"
DKIM alignment
TAG: "adkim"
The ADKIM tag determines the mode for the DKIM sub-check.
The standard value is the relaxed mode (r).
This tag is optional.
| r |
relaxed mode
The organizational domain of the DKIM signature domain and the From header domain must match. (Subdomains allowed)
|
| s |
strict mode
DKIM signature domain and From header domain must match exactly. (Subdomains prohibited)
|
Example: "adkim=s"
SPF alignment
TAG: "aspf"
The ASPF tag determines the mode for the SPF sub-check.
The standard value is the relaxed mode (r).
This tag is optional.
| r |
relaxed mode
SPF-authenticated domain and From-Header domain must have the same organizational domain. (Subdomains allowed)
|
| s |
strict mode
SPF-authenticated domain and from-header domain must be exactly the same domain. (Subdomains prohibited)
|
Example: "aspf=s"
Coverage
TAG: "pct"
The PCT tag shows the percentage of mails on which a DMARC check is to be carried out.
The standard value is 100 and is always recommended.
A lower value also reduces the security offered by the DMARC.
It is only recommended to adjust the cover during a rollout.
This tag is optional.
Example: "pct=100"