Domain-based Message Authentication, Reporting and Conformance (DMARC) validation integration

Technical Library | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Managing Messages > Domain-based Message Authentication, Reporting and Conformance (DMARC) validation integration

Domain-based Message Authentication, Reporting and Conformance (DMARC) validation integration

Domain-based Message Authentication, Reporting and Conformance (DMARC) uses the results of its Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) validation processes, along with the sender domain's DMARC policy to determine message disposition. Published in the sender's DNS record, a DMARC policy includes the sender's affirmation that its email is protected by SPF and DKIM validation, and provides instructions for handling mail that does not pass either of those checks on the recipient's end. A mechanism for reporting DMARC results is also provided.

SPF and DKIM analyses enabled and configured in the Email module are independent of DMARC verification. SPF checks are configured in Settings > Inbound/Outbound > Relay Control, whereas DKIM validation is configured on the Settings > Inbound/Outbound > DKIM Settings page. If either SPF or DKIM analysis is enabled in the TRITON Manager, DMARC can use the results in its own verification analysis.

Assuming a message is not dropped for failing either the SPF or DKIM check, DMARC validation comprises the following steps:

1.

Extract the sender domain in the email header "From" field.

2.

Query the DNS to determine if a DMARC policy exists for this domain.

Retrieve the policy if one is found and continue with step 3.

End the DMARC process if a policy is not found.

3.

Perform DKIM validation checks.

4.

Perform SPF validation checks.

5.

Perform DMARC identifier checks to determine if the sender information in the message aligns with what the recipient knows about that sender as a result of the SPF and DKIM analyses.

6.

After completing the DMARC analysis, apply the DMARC policy to the message.

When you enable DMARC validation, a reporting mechanism is also included to provide the sender with information about the number of messages received from that sender domain and the results of the recipient's validation checks. Reports are sent to the email address specified in the sender domain's DNS text record via the RUA (reporting URL of aggregate reports) tag.

If SPF and DKIM are not enabled in the Email module, DMARC performs these checks. In this case, message disposition is determined only by the DMARC policy. A message is not rejected based on the individual SPF or DKIM analysis results.

For optimal protection, both SPF and DKIM validation settings should be configured and enabled on your email protection system, along with DMARC. See Configuring relay control options and DomainKeys Identified Mail (DKIM) integration for information about these settings.

Configure DMARC verification on the Settings > Inbound/Outbound > DMARC Settings page. Mark the check box for any of the following options:

Enable DMARC verification for inbound messages

Enable DMARC verification for outbound messages

Enable DMARC verification for internal messages

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Managing Messages > Domain-based Message Authentication, Reporting and Conformance (DMARC) validation integration

Copyright 2016 Forcepoint LLC. All rights reserved.