Adding DMARC Settings

Trend Micro Email Security authenticates incoming email messages of the selected domain and allows administrators to take actions on messages that fail to pass DMARC authentication. If DMARC authentication passes, the messages will be delivered normally. If DMARC authentication fails, the messages will be quarantined, rejected or delivered according to the DMARC settings.

The DMARC settings apply only to the selected recipient domain.

  1. Go to Inbound Protection > Domain-based Authentication > Domain-based Message Authentication, Reporting and Conformance (DMARC).
  2. Click Add.

    The Add DMARC Settings screen appears.

  3. Select a specific recipient domain from the Domain name drop-down list.
  4. Select Enable DMARC.
  5. Optionally select Insert an X-Header into email messages.

    X-Header is added to indicate whether DMARC authentication is successful or not.

    Here are some examples of X-Header:

    X-TM-Authentication-Results: spf=pass (sender IP address: 10.210.128.20) smtp.mailfrom=example.com; dkim=pass (signatures verified) header.d=example.com; dmarc=pass action=none header.from=example.com;

    X-TM-Authentication-Results: spf=fail (sender IP address: 10.204.148.40) smtp.mailfrom=example.com; dkim=fail (no verified signatures found) header.d=example.com; dmarc=fail action=none header.from=example.com;

    X-TM-Authentication-Results: spf=fail (sender IP address: 10.204.148.40) smtp.mailfrom=example.com; dkim=pass (signatures verified) header.d=example.com; dmarc=pass action=none header.from=example.com;

    X-TM-Authentication-Results: spf=pass (sender IP address: 10.204.128.20) smtp.mailfrom=example.com; dkim=fail (no verified signatures found) header.d=example.com; dmarc=pass action=none header.from=example.com;

  6. Optionally select Deliver daily reports to senders.

    If you select this option, aggregated reports will be generated daily for authentication failures and sent back to email senders.

  7. Under Intercept, specify actions to take on messages that fail DMARC authentication.

    A DMARC tag instructs recipients how to handle email messages that fail DMARC authentication. There are three values for the tag: "none", "quarantine", and "reject". Trend Micro Email Security enables you to specify the action to take in each scenario based on the instructions:

    • None: select the action to take when the DMARC tag value is "none".

    • Quarantine: select the action to take when the DMARC tag value is "quarantine".

    • Reject: select the action to take when the DMARC tag value is "reject".

    • No DMARC records: select the action to take when there is no DMARC records.

  8. Under Tag and Notify, select further actions that you want to take on the messages.
    • Tag subject

      Note:

      Tags can be customized. When selecting the Tag subject action, note the following:

      • This action may destroy the existing DKIM signatures in email messages, leading to a DKIM verification failure by the downstream mail server.

      • To prevent tags from breaking digital signatures, select Do not tag digitally signed messages.

    • Send notification

  9. Under Enforced Peers, add enforced peers to enforce DMARC authentication for specific sender domains.
    1. Specify one or multiple sender domain names.

      Each email message from the specified domain must meet specific criteria of the DMARC standard; otherwise, an action will be taken on the message.

      The following criteria must be met:

      • The sender domain has an SPF record, a DKIM record and a DMARC record.

      • The message passes the SPF check , and its identifier domain is in alignment. Alternatively, the message passes DKIM verification, and its identifier domain is in alignment.

    2. Click Add.
  10. Click Add to finish adding the DMARC settings.