DMARC (Domain-based Message Authentication, Reporting and Conformance) is a sender authentication protocol that builds on DKIM and SPF. It lets the owner of a domain decide what should happen to an email should it fail both DKIM and SPF checks.
What is DMARC?
DMARC is a strong anti-phishing feature that lets the receiver verify that the From header (the user-visible sender) aligns with the DKIM signed delivery header, or that the From header matches the SPF signed delivery domain and that it's sent from an address validated by SPF. In short, DMARC lets the receiver verify that the delivery address (on the envelope) matches the user-visible address (the letter inside) and that the person who sent it is allowed to do so.
DMARC also provides more robustness for mail being forwarded: SPF will fail but DKIM should survive.
If neither the DKIM nor the SPF checks pass, DMARC lets the domain owner specify if the mail should be quarantined or rejected (and sent to a reject address).
Fastmail users do not need to set a DMARC policy for their domain to work, but users who would like to set a DMARC policy on their domain are welcome to do so. By default, domains that have their DNS handled by Fastmail have a DMARC policy of
Fastmail domains have a DMARC policy of
p=none, which means recipient mail servers should report whether the message passes or not, but not change deliverability. This allows users to send mail using our domains from anywhere, for legacy reasons.
DMARC is not a complete solution
Many email clients don't preserve message integrity when mail is forwarded, which can break DKIM as well as SPF.
Mailing lists still alter message fields, which breaks DKIM, and they forward mail, which breaks SPF. Mailing list software is being brought up to date to deal with this by adjusting the "From" header and re-signing the message with updated DKIM information.
Despite the advancements in sender authentication protocols, many users are still not evaluating their email with an educated, critical eye. All the automated checking in the world still can't stop a user from clicking on a message sent from
Setting up a DMARC policy
If Fastmail handles the DNS for your domain, then your domain will automatically have a DMARC policy of
p=none. To change this to either a
p=reject policy, you'll need to disable this automatically generated DMARC record and create a new one with your desired enforcement policy.
If we don't handle the DNS for your domain, you can add a DMARC record for your domain in the control panel of your domain host with a compliance policy of
p=quarantine. You can publish a DMARC policy by adding a TXT record for
_dmarc.yourdomain.com. For more information and record generator tools that can help you set up DMARC, we recommend going to DMARC.org.
If you have any questions about setting up a DMARC policy, feel free to reach out to our support team for assistance.