Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Frequently Asked Questions about DMARC when using Hosted Email Security (HES)

    • Updated:
    • 13 Aug 2019
    • Product/Version:
    • Hosted Email Security 3.0
    • Hosted Email Security 2.0
    • Trend Micro Email Security 1.0
    • Platform:
    • N/A N/A
Summary

Get answers to the most common questions about DMARC using HES.

Details
Public
 SPFDKIMDMARC
Record PresentUse SPF PolicyUse DKIM PolicyUse DMARC Policy
Record Not PresentNoneNoneUse Policy Intercept Action: "No DMARC records"
 
Ordinary domain authentication means not making use of the enforced peers function
SPFDKIMDMARCACTION

Policy: "No DMARC records"

Policy: p tag

Policy: "No DMARC records"

Policy: p tag

Policy: "No DMARC records"

Policy: p tag

Policy: "No DMARC records"

Policy: p tag (if fails DMARC alignment)
 SPFDKIM
Record PresentPolicyPolicy
Record Not PresentNonePolicy

SPF, DKIM and DMARC are three independent features in Hosted Email Security. You can enable or disable those features based on your requirements.

The following are typical scenarios for your reference:

  • DMARC enabled only

    Hosted Email Security performs its own SPF check and DKIM signature check before alignment check.

  • SPF check, DKIM verification and DMARC authentication enabled at the same time

    Hosted Email Security checks the sender domain for each inbound email message. If a message does not pass the SPF check, the default action is to delete the message. If the message passes the SPF check, Hosted Email Security verifies DKIM signatures in the message. If the message does not pass DKIM verification, the message will be deleted, quarantined or delivered depending on the action configured. If the message continues to the next step in the delivery process, Hosted Email Security implements DMARC authentication on the message.

DMARC enabled only Hosted Email Security performs its own SPF check and DKIM signature check before alignment check. SPF check, DKIM verification and DMARC authentication enabled at the same time Hosted Email Security checks the sender domain for each inbound email message. If a message does not pass the SPF check, the default action is to delete the message. If the message passes the SPF check, Hosted Email Security verifies DKIM signatures in the message. If the message does not pass DKIM verification, the message will be deleted, quarantined or delivered depending on the action configured. If the message continues to the next step in the delivery process, Hosted Email Security implements DMARC authentication on the message.

For further reference refer to the document on How DMARC Works with SPF and DKIM.

In the sample below from email headers, the SPF check fails, causing the DMARC check to fail

SPF fail

Please refer to the document on Adding DMARC Settings.

Enforced Peers is an HES feature that enforces DMARC authentication for specific sender domains. The following criteria must be strictly met by Enforced Peers to pass DMARC authentication:

  • SPF check
  • DKIM verification

    The sender domain has a DKIM record, and there is at least one verified signature in the message.

  • DMARC authentication

    The sender domain has a DMARC record, and the message passes the alignment check.

Please refer to the document on Adding DMARC Settings.

There is a configurable action if there are No DMARC records. Refer to the following image:

No DMARC records

This action is applied when no DMARC record is published in DNS of sending domain. DMARC record can be queried using nslookup in command line:

nslookup -type=txt _dmarc.domain

As an example:

nslookup

Three possible policy settings, or message dispositions, are available:

PolicyDefinition
none policyYou just want to monitor the DMARC results and you do not want to take specific action on all the failing emails. You can use the “none” policy to start with DMARC and gather all DMARC reports and start analyzing this data.
quarantine policyYou put the emails which fail the checks in quarantine. Most of these emails will end up in the junk folder of the receiver.
reject policyYou can reject all emails that fail the DMARC check. The email receivers should do this ‘on SMTP level’. The emails will bounce directly in the sending process.

Below are the common tags used in DMARC TXT records:

Tag NameRequiredPurposeSample
vrequiredProtocol versionv=DMARC1
prequiredPolicy for domainp=quarantine
pctoptional% of messages subjected to filteringpct=20
ruaoptionalReporting URI of aggregate reportsrua=mailto:CUSTOMERID@for.dmarcanalyzer.com
rufoptionalAddresses to which message-specific forensic information is to be reported (comma-separated plain-text list of URIs).ruf=mailto:CUSTOMERID@for.dmarcanalyzer.com
rfoptionalFormat to be used for message-specific forensic information reports (comma-separated plain-text list of values).rf=afrf
aspfoptionalAlignment mode for SPFaspf=r
adkimoptionalAlignment mode for DKIMadkim=r

References:

Below is a tool that will help create what DNS TXT record to add on DNS, for example GoDaddy.

DMARC Record Assistant

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=vtekdummies.xyz; s=TM-DKIM-2019022621527; t=1562357572; x=1562789572; bh=aZg6uJzhgeJqfvgOyUB5iBetSCFUZ0GNreBEIlTPyqw=; l=1498; h=Date:From:To; b=OV2rQr9gkejUtXxp3zvgRc6W80hY4dWx6gVT55N/porUhU+t2fFZn3mAcwNBDf6v2 btlQjp+63KSSpj7MJdAQo81Lmpt2QoMLxdOq+IkonheLDwtZ3Ty7IqK97o5ZCp2rWr WqkBcaDzUIXM087PAdiUzYA2N9f/9tQQUl9hwqU8TLQSj8uKL5TnlLfgednonop1Bc uuuYy6HDXAVMSJ/+Cu3xjdk9mpvYmD1knLC3gigDH2jXfLPbm3YGA7bvLGcy/SZvVs tWrC0DI6DYHCMg5ctQeUZfjEh1DjJY2G0vkhq2VQxXKhjEVhs9DkD2RT+JvENvPjxK p4NKKjH6AdxIw==    X-TM-Received-SPF: Pass (domain of user_email@vtekdummies.xyz designates 11.22.111.222 as permitted sender) client-ip=11.22.111.222; envelope-from=user_email@vtekdummies.xyz; helo=repost01.tmes.sample.com    X-TM-Authentication-Results: spf=pass (sender IP address: 11.22.111.222) smtp.mailfrom=vtekdummies.xyz; dkim=pass (signatures verified) header.d=vtekdummies.xyz; dmarc=pass action=quarantine header.from=vtekdummies.xyz;
Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1123135
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.