DMARC record.
The DMARC record, like SPF, is a record in the domain's DNS zone. It contains information on actions taken by the recipient's MTA, which we "prompt" to the MTA.
For DMARC to work correctly, you must first define an SPF record for the domain. The SPF record contains information about the authenticity of the sending MTA, while DMARC contains a policy that the receiving MTA should adopt when receiving an email.
So, the domain owner, using DMARC, gives recipients instructions on what to do with the messages they receive. Of course, this is about the policy regarding fake emails, for which the receiving MTA may accept the rules we have set, e.g. rejection of the message, quarantine or acceptance of the message despite the fact that it is falsified, i.e. incompatible with SPF.
In addition to the policy of receiving fake messages, DMARC contains other instructions, such as e.g. reporting the status of messages from our domains to the provided e-mail address, the format of this report, its frequency, the percentage of checking messages from our domain, the policy for subdomains, the degree of matching DKIM and SPF to DMARC.
Sample DMARC record in the BIND zone:
_dmarc 86400 IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rf=afrf; fo=1; pct=100; rua=mailto:postmaster@domain.tld;"
Sample DMARC rules for MTA Exim.
First check Exim:
server#exim -bV
Support for: crypteq IPv6 Perl OpenSSL move_frozen_messages Content_Scanning DNSSEC Event OCSP PIPE_CONNECT PRDR DKIM SPF DMARC TCP_Fast_Open Experimental_SRS
acl_smtp_data:
defer
dmarc_status = nofrom : temperror
!authenticated = *
message = DMARC: status=$dmarc_status \n $dmarc_status_text \n policy=$dmarc_domain_policy
log_message = DMARC: status=$dmarc_status Text=$dmarc_status_text policy=$dmarc_domain_policy
delay = 5s
defer
dmarc_status = quarantine
!authenticated = *
message = DMARC: status=$dmarc_status \n $dmarc_status_text \n policy=$dmarc_domain_policy
log_message = DMARC: status=$dmarc_status Text=$dmarc_status_text policy=$dmarc_domain_policy
delay = 10s
deny
dmarc_status = reject
!authenticated = *
message = DMARC: status=$dmarc_status \n $dmarc_status_text \n policy=$dmarc_domain_policy
log_message = DMARC: status=$dmarc_status Text=$dmarc_status_text policy=$dmarc_domain_policy
warn
dmarc_status = accept
!authenticated = *
add_header = X-DMARC: $dmarc_status [$dmarc_status_text]
add_header = X-TRACK-MSGID: ${hmac{md5}{SecretPassword}{$primary_hostname $message_id $tod_log}
warn
dmarc_status = none : norecord : off
!authenticated = *
log_message = DMARC: status=$dmarc_status Text=$dmarc_status_text policy=$dmarc_domain_policy
add_header = X-DMARC: $dmarc_status [$dmarc_status_text]
add_header = X-TRACK-MSGID: ${hmac{md5}{SecretPassword}{$primary_hostname $message_id $tod_log}}
delay = 30s