Domain-based Message Authentication, Reporting and Conformance (DMARC) validation integration

Domain-based Message Authentication, Reporting and Conformance (DMARC) uses the results of its Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) validation processes, along with the sender domain’s DMARC policy, to determine message disposition. Published in the sender’s DNS record, a DMARC policy includes the sender’s affirmation that its email is protected by SPF and DKIM validation, and provides instructions for handling mail that does not pass either of those checks on the recipient’s end. A mechanism for reporting DMARC results is also provided.

SPF and DKIM analyses enabled and configured in the Email Security module are independent of DMARC verification. SPF checks are configured on the page Settings > Inbound/Outbound > Relay Control, whereas DKIM validation is configured on the page Settings > Inbound/Outbound > DKIM Settings. If either SPF or DKIM analysis is enabled in the Forcepoint Security Manager, DMARC can use the results in its own verification analysis.

Assuming a message is not dropped for failing either the SPF or DKIM check, DMARC validation comprises the following steps:

  1. Extract the sender domain in the email header “From” field.
  2. Query the DNS to determine if a DMARC policy exists for this domain.
    • If a policy is found, retrieve the policy and continue with step 3.
    • If a policy is not found, end the DMARC process.
  3. Perform DKIM validation checks.
  4. Perform SPF validation checks.
  5. Perform DMARC identifier checks to determine if the sender information in the message aligns with what the recipient knows about that sender as a result of the SPF and DKIM analyses.
  6. After completing the DMARC analysis, apply the DMARC policy to the message.

When you enable DMARC validation, a reporting mechanism is also included to provide the sender with information about the number of messages received from that sender domain and the results of the recipient’s validation checks. Reports are sent to the email address specified in the sender domain’s DNS text record via the RUA (reporting URL of aggregate reports) tag.

If SPF and DKIM are not enabled in the Email Security module, DMARC performs these checks. In this case, message disposition is determined only by the DMARC policy. A message is not rejected based on the individual SPF or DKIM analysis results.

For optimal protection, both SPF and DKIM validation settings should be configured and enabled on your email protection system, along with DMARC. See Configuring relay control options and DomainKeys Identified Mail (DKIM) integration.

Configure DMARC verification on the page Settings > Inbound/Outbound > DKIM Settings. Mark the check box for any or all of the following options:

  • Enable DMARC verification for inbound messages
  • Enable DMARC verification for outbound messages
  • Enable DMARC verification for internal messages