How to set a good defaults for DMARC records on a Virtualmin server with many domains

Background

If you’ve got a perfect Virtualmin setup, you might notice that MX Toolboxes’s Email Health checker complains about DMARC.

Next you might wonder what DMARC setting will not only work for your own domain, but the other 5000 domains under your management.

This is what we use:

It comes out as a DNS record like this:

_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=100; ruf=mailto:[email protected]; rua=mailto:[email protected]"

User will get confused about the emails they receive, so we remove it:

_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=100; "

In plain text:

  • Our DMARC record policy is enabled.
  • Our DMARC policy for emails that fail SPF or DKIM is to Quarantine email. The other options are “Take no action” and “Reject email” but we’re using Quarantine.
  • We apply a 100% policy on the percentage of messages

Please note you could also use MXToolbox Delivery Centre, but you’d need a paid subscription and the basic tier only allows 5 monitors. https://mxtoolbox.com/delivery

But What Precisely is DMARC?

Wikipedia describes it best:

It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the From: field presented to end users; how the receiver should deal with failures – and a reporting mechanism for actions performed under those policies.

Why do we use Quarantine?

This article describes it best:

Quarantine policy p=quarantine

With the DMARC policy quarantine, Internet Service Providers which have adopted DMARC will put emails which are failing the DMARC check in special ‘quarantine’ folders e.g. the junk or spam folder. The p=quarantine DMARC policy influences the way email is handled, however failing emails will still arrive.

So we feel 100% of incorrect configured DMARC messages should end up in SPAM.

How do you apply this for all domains on a Virtualmin server?

Go to System Settings / Server Templates / Default Settings / BIND DNS Domain and change the defaults

virtualmin modify-dns --dmarc --all-domains

How to use Dig to check DMARC?

We often use WhatsMyDNS to check DMARC, but there’s a catch as it’s not a normal TXT record off the root of the domain. When using WhatsMyDNS rather do:

_dmarc.example.com TXT lookup.

Example of dig, no policy set

dig txt _dmarc.example.com

;; ANSWER SECTION:
_dmarc.example.com. 3600 IN TXT "v=DMARC1; p=none; pct=100; ruf=mailto:[email protected]; rua=mailto:[email protected]"

Example of dig, quarantine policy set

dig txt _dmarc.domain2.example.com

;; ANSWER SECTION:
_dmarc.domain2.example.com. 38400 IN TXT "v=DMARC1; p=quarantine; pct=100; ruf=mailto:[email protected]; rua=mailto:domain2.example.com"

References

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top