User Tools

Site Tools


DMARC DNS entry and mystery email reports

[ Classic Linux. ]

(Note. If you are a DirectAdmin user you can manually create a DMARC record in DNS and it will work the same way as described below. We have labeled this page [ Classic Linux ] because creation of a DMARC record is not automatic in DirectAdmin.)

In the Classic Linux environment, there might be a DNS record in your custom domain's DNS called a DMARC record. This DNS record requests other sites to take certain steps with mail showing your domain in the sender address, if it fails checks based on SPF and DKIM DNS records.

Whenever you add a domain to your account, SPF and DKIM DNS records are automatically created with some suitable default values.

SPF and DKIM DNS records are intended to let sites detect unauthorized mail (usually spam) that contains forged sender addresses in your domain. In your DMARC record you can ask them to reject such mail, or to accept it but refile it into a spam folder (i.e., quarantine it), or accept it and deliver it normally.

To summarize:

  • Your domain's SPF and DKIM DNS records help others know when your domain is being forged in spam.
  • Your domain's DMARC record advises others how best to deal with such forged spam.
  • You can adjust your DMARC record to fine-tune this advice.

DMARC and SPF records can viewed and modified from the below menus. Saving a screenshot or a screen print before making changes will let you go back to the original if needed.

Virtualmin ⇒ Server Configuration ⇒ DNS Options
Virtualmin ⇒ Server Configuration ⇒ DNS Records
Webmin ⇒ Servers ⇒ BIND DNS Server

Below are some of the adjustments you can make in the DMARC record.

Policy for emails that fail SPF or DKIM.

  • Take no action. Accept it and deliver it normally.
  • Quarantine email. Accept mail, file it into a spam folder. (Recommended.)
  • Reject email. Don't accept mail, immediately reject it so it bounces back to the sender.

Require strict DKIM alignment, Require strict SPF alignment. Yes means check more strictly for domain matches in various mail headers, causing more email to be treated as spam. (Recommended: no.)

Send aggregate feedback to, Send forensic information to. Most people will keep these at No. If either of these is Yes, you will need to specify an email address. Other sites will periodically send you a status report about mail that they received that showed a sender address in your domain. These status reports are in a strictly defined format that is not necessarily human-readable. (Recommended: no.)

Percentage of messages to apply policy. What fraction of messages from your domain, that fail DKIM or SPF checks, to spam-file or reject. In most cases this will be 100%, but can be set to a lower value. (Recommended: 100%.)

Comment. A brief comment for your own reference.

hints/dmarc_dns_entry_and_mystery_email_reports.txt · Last modified: 2021/03/02 09:48 by admin