Hosted Email Security authenticates incoming email messages of the selected domain and allows administrators to take actions on messages that fail to pass DMARC authentication. If DMARC authentication passes, the messages will be delivered normally. If DMARC authentication fails, the messages will be quarantined, rejected or delivered according to the DMARC settings.
The DMARC settings apply only to the selected recipient domain.
The Add DMARC Settings screen appears.
X-Header is added to indicate whether DMARC authentication is successful or not.
Here are some examples of X-Header:
X-TM-Authentication-Results: spf=fail (sender IP address: 10.204.148.40) smtp.mailfrom=example.com; dkim=pass (signatures verified) header.d=example.com; dmarc=fail action=none header.from=example.com;
X-TM-Authentication-Results: spf=pass (sender IP address: 10.210.128.20) smtp.mailfrom=example.com; dkim=pass (signatures verified) header.d=example.com; dmarc=pass action=none header.from=example.com;
If you select this option, aggregated reports will be generated daily for authentication failures and sent back to email senders.
A DMARC tag instructs recipients how to handle email messages that fail DMARC authentication. There are three values for the tag: "none", "quarantine", and "reject". Hosted Email Security enables you to specify the action to take in each scenario based on the instructions:
None: select the action to take when the DMARC tag value is "none".
Quarantine: select the action to take when the DMARC tag value is "quarantine".
Reject: select the action to take when the DMARC tag value is "reject".
No DMARC records: select the action to take when there is no DMARC records.
Tags can be customized. When selecting the Tag subject action, note the following:
This action may destroy the existing DKIM signatures in email messages, leading to a DKIM verification failure by the downstream mail server.
To prevent tags from breaking digital signatures, select Do not tag digitally signed messages.
Each email message from the specified domain must meet specific criteria of the DMARC standard; otherwise, an action will be taken on the message.
The following criteria must be met:
The sender domain has an SPF record, and the sender IP address passes SPF authentication.
The sender domain has a DKIM record, and there is at least one verified signature in the message.
The sender domain has a DMARC record, and the message passes the alignment check.