Adding DMARC Settings

Hosted Email Security authenticates incoming email messages of the selected domain and allows administrators to take actions on messages that fail to pass DMARC authentication. If DMARC authentication passes, the messages will be delivered normally. If DMARC authentication fails, the messages will be quarantined, rejected or delivered according to the DMARC settings.

The DMARC settings apply only to the selected recipient domain.

  1. Go to Inbound Protection > Domain-based Authentication > Domain-based Message Authentication, Reporting and Conformance (DMARC).
  2. Click Add.

    The Add DMARC Settings screen appears.

  3. Select a specific recipient domain from the Domain name drop-down list.
  4. Select Enable DMARC.
  5. Optionally select Insert an X-Header into email messages.

    X-Header is added to indicate whether DMARC authentication is successful or not.

    Here are some examples of X-Header:

    X-TM-Authentication-Results: spf=fail (sender IP address:; dkim=pass (signatures verified); dmarc=fail action=none;

    X-TM-Authentication-Results: spf=pass (sender IP address:; dkim=pass (signatures verified); dmarc=pass action=none;

  6. Optionally select Deliver daily reports to senders.

    If you select this option, aggregated reports will be generated daily for authentication failures and sent back to email senders.

  7. Under Intercept, specify actions to take on messages that fail DMARC authentication.

    A DMARC tag instructs recipients how to handle email messages that fail DMARC authentication. There are three values for the tag: "none", "quarantine", and "reject". Hosted Email Security enables you to specify the action to take in each scenario based on the instructions:

    • None: select the action to take when the DMARC tag value is "none".

    • Quarantine: select the action to take when the DMARC tag value is "quarantine".

    • Reject: select the action to take when the DMARC tag value is "reject".

    • No DMARC records: select the action to take when there is no DMARC records.

  8. Under Tag and Notify, select further actions that you want to take on the messages.
    • Tag subject


      Tags can be customized. When selecting the Tag subject action, note the following:

      • This action may destroy the existing DKIM signatures in email messages, leading to a DKIM verification failure by the downstream mail server.

      • To prevent tags from breaking digital signatures, select Do not tag digitally signed messages.

    • Send notification

  9. Under Enforced Peers, add enforced peers to enforce DMARC authentication for specific sender domains.
    1. Click Add.
    2. Specify a sender domain name and click Add.

      Each email message from the specified domain must meet specific criteria of the DMARC standard; otherwise, an action will be taken on the message.

      The following criteria must be met:

      • SPF check

        The sender domain has an SPF record, and the sender IP address passes SPF authentication.

      • DKIM verification

        The sender domain has a DKIM record, and there is at least one verified signature in the message.

      • DMARC authentication

        The sender domain has a DMARC record, and the message passes the alignment check.

  10. Click Add to finish adding the DMARC settings.