Procedure
- Go to .
- Go to DMARC Record Check.
- Generate a DMARC record for a domain.
-
For a domain with DMARC disabled, click Disabled in the DMARC column and then click Create on the DMARC Record in DNS screen to generate a DMARC record.
-
For a domain with DMARC enabled, click Enabled in the DMARC column and then click Modify on the DMARC Record in DNS screen to update the DMARC record options and generate a new record.
-
- On the Generate DMARC Record screen, specify the basic
options.
Note
If you leave an option empty, the corresponding tag does not appear in the resulting DMARC record.OptionDescriptionPolicyThe action that you expect the receiving server to take when messages from the domain fail DMARC checks.-
None: Take no action on messages failing DMARC checks.This action only helps collect DMARC reports and gain insight into your current email flows and their authentication status.
-
Quarantine: Treat the messages failing DMARC checks as suspicious. The specific action depends on the capability of the receiving server. For example, the action can be placing the message into a spam folder or in a quarantine area.
- Reject: Reject messages failing DMARC checks.
You must specify a value for this option.Send Aggregate Data toThe email address for receiving DMARC aggregate reports.Use a comma to separate multiple email addresses. Optionally, you can specify the maximum email size allowed in the format Email address!Size limit.Example: dmarc-feedback@example.com,dmarc-admin@example.com!10mIf you leave this option empty, you will not receive aggregate reports.Send Forensic Data toThe email address for receiving DMARC forensic reports, which are also called failure reports.Use a comma to separate multiple email addresses. Optionally, you can specify the maximum email size allowed in the format Email address!Size limit.Example: dmarc-feedback@example.com,dmarc-admin@example.com!10mIf you leave this option empty, you will not receive forensic reports. -
- Optionally specify the advanced options.
Note
If you leave an option empty or select the "-" value, the corresponding tag does not appear in the resulting DMARC record.OptionDescriptionSubdomain PolicyThe policy you want to apply to all the subdomains of a domain.The value "-" indicates unspecified. In this case, the policy for subdomains is the same as the policy for the primary domain.Change the setting if you want to use a different DMARC policy for your subdomains.DKIM Identifier AlignmentThe alignment policy for DKIM, which defines how strictly the DKIM alignment check is.-
-: Unspecified. In this case, the policy "Relaxed" applies during DMARC evaluation.
-
Relaxed: Partial match is allowed. The sender domain name can be a valid subdomain of the domain name in the "d=" tag in the DKIM mail header.
-
Strict: The sender domain name must be identical to the domain name in the "d=" tag in the DKIM mail header.
SPF Identifier AlignmentThe alignment policy for SPF, which defines how strictly the SPF alignment check is.-
-: Unspecified. In this case, the policy "Relaxed" applies during DMARC evaluation.
-
Relaxed: Partial match is allowed. The sender domain name can be a valid subdomain of the domain name in the SMTP "MAIL FROM" command.
-
Strict: The sender domain name must be identical to the domain name in the SMTP "MAIL FROM" command.
Reporting IntervalThe interval for the receiving server to send aggregate reports.If you leave this option empty, the interval "86400 seconds" (24 hours) applies during DMARC evaluation.Forensic Report OptionsThe conditions for sending forensic reports.-
Send report only if both SPF and DKIM fail
-
Send report if either SPF or DKIM fails
-
Send report if DKIM fails
-
Send report if SPF fails
If you leave this option unspecified, the condition "Send report only if both SPF and DKIM fail" applies during DMARC evaluation.Forensic Report FormatThe format in which reports are sent, which can be AFRF or IODEF.The value "-" indicates unspecified, in which case the format AFRF applies during DMARC evaluation.Policy PercentageThe percentage of unauthenticated messages to which the DMARC policy will be applied.Specify an integer between 0 and 100. To roll out DMARC slowly, it is recommended that you start with a small percentage. As more messages from your domain pass DMARC checks, you can move to a higher percentage until you reach 100 percent.If you leave this option empty, the value 100 applies during DMARC evaluation. -
- Click Generate.Cloud Email Gateway Protection generates a DMARC record based on your settings. You can copy the record and publish it to the DNS server.Example record:
v=DMARC1; p=none; sp=quarantine; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-fail-reports@example.com; adkim=s; aspf=r; ri=86400; fo=0; rf=afrf; pct=50-
v=DMARC1: This is version 1 of the DMARC specification.This tag is automatically added during the record generation. -
p=none: The policy for the primary domain is none, which indicates only monitoring messages from the domain for DMARC authentication. -
sp=quarantine: The policy for subdomains is quarantine, which indicates that you expect the receiving server to treat the messages from the subdomains of the primary domain as suspicious. -
rua=mailto:dmarc-reports@example.com: The email address for receiving aggregate reports is dmarc-reports@example.com. -
ruf=mailto:dmarc-fail-reports@example.com: The email address for receiving aggregate reports is dmarc-fail-reports@example.com. -
adkim=s: The DKIM alignment policy is to apply strict DKIM alignment checks. -
aspf=r: The SPF alignment policy is to apply relaxed SPF alignment checks. -
ri=86400: The interval for sending reports is 86400 seconds. -
fo=0: The condition for sending forensic reports is only when both SPF and DKIM fail. -
rf=afrf: The format for sending forensic reports is AFRF. -
pct=50: The policy will be applied to 50% of the messages.
-