什么是DMARC?
电子邮件
1 min read
什么是DMARC?
电子邮件
1 min read
基于域的邮件认证、报告和一致性(DMARC)是一项技术标准,帮助保护电子邮件发送者和接收者免受垃圾邮件、伪造和网络钓鱼的侵害。
理解DMARC
Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing. DMARC allows an organization to publish a policy that defines its email authentication practices and provides instructions to receiving mail servers for how to enforce them. In this edition of “DMARC Explained” you’ll learn what DMARC is and how it works.
Specifically, DMARC establishes a method for a domain owner to:
Publish its email authentication practices
State what actions should be taken on mail that fails authentication checks
Enable reporting of these actions taken on mail claiming to be from its domain
DMARC itself is not itself an email authentication protocol, but it builds on key authentication standards SPF and DKIM. With them, it supplements SMTP, the basic protocol used to send email, because SMTP does not itself include any mechanisms for implementing or defining policies for email authentication.
Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing. DMARC allows an organization to publish a policy that defines its email authentication practices and provides instructions to receiving mail servers for how to enforce them. In this edition of “DMARC Explained” you’ll learn what DMARC is and how it works.
Specifically, DMARC establishes a method for a domain owner to:
Publish its email authentication practices
State what actions should be taken on mail that fails authentication checks
Enable reporting of these actions taken on mail claiming to be from its domain
DMARC itself is not itself an email authentication protocol, but it builds on key authentication standards SPF and DKIM. With them, it supplements SMTP, the basic protocol used to send email, because SMTP does not itself include any mechanisms for implementing or defining policies for email authentication.
Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing. DMARC allows an organization to publish a policy that defines its email authentication practices and provides instructions to receiving mail servers for how to enforce them. In this edition of “DMARC Explained” you’ll learn what DMARC is and how it works.
Specifically, DMARC establishes a method for a domain owner to:
Publish its email authentication practices
State what actions should be taken on mail that fails authentication checks
Enable reporting of these actions taken on mail claiming to be from its domain
DMARC itself is not itself an email authentication protocol, but it builds on key authentication standards SPF and DKIM. With them, it supplements SMTP, the basic protocol used to send email, because SMTP does not itself include any mechanisms for implementing or defining policies for email authentication.
DMARC 是如何工作的?
DMARC依赖于已建立的SPF和DKIM标准进行电子邮件验证。它还利用了成熟的域名系统 (DNS)。一般来说,DMARC验证的过程如下:
域管理员发布定义其电子邮件认证实践的策略,以及接收邮件服务器应如何处理违反该策略的邮件。此DMARC策略作为域的整体DNS记录的一部分列出。
当一个入站邮件服务器收到一封传入的电子邮件时,它使用DNS查找消息“From” (RFC 5322) 标头中包含的域的DMARC策略。然后入站服务器检查三项关键因素来评估消息:
该消息的DKIM签名是否合法?
该消息是否来自发送域的SPF记录允许的IP地址?
消息的标头是否显示正确的“域对齐”?
根据这些信息,服务器准备应用发送域的DMARC策略,以决定是接受、拒绝还是标记电子邮件消息。
使用DMARC策略确定消息的适当处置后,接收邮件服务器将向发送域所有者报告结果。
DMARC依赖于已建立的SPF和DKIM标准进行电子邮件验证。它还利用了成熟的域名系统 (DNS)。一般来说,DMARC验证的过程如下:
域管理员发布定义其电子邮件认证实践的策略,以及接收邮件服务器应如何处理违反该策略的邮件。此DMARC策略作为域的整体DNS记录的一部分列出。
当一个入站邮件服务器收到一封传入的电子邮件时,它使用DNS查找消息“From” (RFC 5322) 标头中包含的域的DMARC策略。然后入站服务器检查三项关键因素来评估消息:
该消息的DKIM签名是否合法?
该消息是否来自发送域的SPF记录允许的IP地址?
消息的标头是否显示正确的“域对齐”?
根据这些信息,服务器准备应用发送域的DMARC策略,以决定是接受、拒绝还是标记电子邮件消息。
使用DMARC策略确定消息的适当处置后,接收邮件服务器将向发送域所有者报告结果。
DMARC依赖于已建立的SPF和DKIM标准进行电子邮件验证。它还利用了成熟的域名系统 (DNS)。一般来说,DMARC验证的过程如下:
域管理员发布定义其电子邮件认证实践的策略,以及接收邮件服务器应如何处理违反该策略的邮件。此DMARC策略作为域的整体DNS记录的一部分列出。
当一个入站邮件服务器收到一封传入的电子邮件时,它使用DNS查找消息“From” (RFC 5322) 标头中包含的域的DMARC策略。然后入站服务器检查三项关键因素来评估消息:
该消息的DKIM签名是否合法?
该消息是否来自发送域的SPF记录允许的IP地址?
消息的标头是否显示正确的“域对齐”?
根据这些信息,服务器准备应用发送域的DMARC策略,以决定是接受、拒绝还是标记电子邮件消息。
使用DMARC策略确定消息的适当处置后,接收邮件服务器将向发送域所有者报告结果。
什么是 DMARC 记录?
A DMARC record is included in an organization’s DNS database. An DMARC record is a specially-formatted version of a standard DNS TXT record with a particular name, namely “_dmarc.mydomain.com” (note the leading underscore). A DMARC record looks something like this: _dmarc.mydomain.com. IN TXT “v=DMARC1\; p=none\; rua=mailto:dmarc-aggregate@mydomain.com\; ruf=mailto:dmarc-afrf@mydomain.com\; pct=100”
Reading left-to-right in plain English, this record says:
v=DMARC1 specifies the DMARC version
p=none specifies the preferred treatment, or DMARC policy
rua=mailto:dmarc-aggregate@mydomain.com is the mailbox to which aggregate reports should be sent
ruf=mailto:dmarc-afrf@mydomain.com is the mailbox to which forensic reports should be sent
pct=100 is the percentage of mail to which the domain owner would like to have its policy applied
Additional configuration options are available for a domain owner to use in its DMARC policy record as well, but these are the basics.
A DMARC record is included in an organization’s DNS database. An DMARC record is a specially-formatted version of a standard DNS TXT record with a particular name, namely “_dmarc.mydomain.com” (note the leading underscore). A DMARC record looks something like this: _dmarc.mydomain.com. IN TXT “v=DMARC1\; p=none\; rua=mailto:dmarc-aggregate@mydomain.com\; ruf=mailto:dmarc-afrf@mydomain.com\; pct=100”
Reading left-to-right in plain English, this record says:
v=DMARC1 specifies the DMARC version
p=none specifies the preferred treatment, or DMARC policy
rua=mailto:dmarc-aggregate@mydomain.com is the mailbox to which aggregate reports should be sent
ruf=mailto:dmarc-afrf@mydomain.com is the mailbox to which forensic reports should be sent
pct=100 is the percentage of mail to which the domain owner would like to have its policy applied
Additional configuration options are available for a domain owner to use in its DMARC policy record as well, but these are the basics.
A DMARC record is included in an organization’s DNS database. An DMARC record is a specially-formatted version of a standard DNS TXT record with a particular name, namely “_dmarc.mydomain.com” (note the leading underscore). A DMARC record looks something like this: _dmarc.mydomain.com. IN TXT “v=DMARC1\; p=none\; rua=mailto:dmarc-aggregate@mydomain.com\; ruf=mailto:dmarc-afrf@mydomain.com\; pct=100”
Reading left-to-right in plain English, this record says:
v=DMARC1 specifies the DMARC version
p=none specifies the preferred treatment, or DMARC policy
rua=mailto:dmarc-aggregate@mydomain.com is the mailbox to which aggregate reports should be sent
ruf=mailto:dmarc-afrf@mydomain.com is the mailbox to which forensic reports should be sent
pct=100 is the percentage of mail to which the domain owner would like to have its policy applied
Additional configuration options are available for a domain owner to use in its DMARC policy record as well, but these are the basics.
DMARC 域名对齐是什么意思?
“Domain alignment” is a concept in DMARC that expands the domain validation intrinsic to SPF and DKIM. DMARC domain alignment matches a message’s “from” domain with information relevant to these other standards:
For SPF, the message’s From domain and its Return-Path domain must match
For DKIM, the message’s From domain and its DKIM d= domain must match
The alignment can be relaxed (matching base domains, but allowing different subdomains) or strict (precisely matching the entire domain). This choice is specified in the published DMARC policy of the sending domain.
“Domain alignment” is a concept in DMARC that expands the domain validation intrinsic to SPF and DKIM. DMARC domain alignment matches a message’s “from” domain with information relevant to these other standards:
For SPF, the message’s From domain and its Return-Path domain must match
For DKIM, the message’s From domain and its DKIM d= domain must match
The alignment can be relaxed (matching base domains, but allowing different subdomains) or strict (precisely matching the entire domain). This choice is specified in the published DMARC policy of the sending domain.
“Domain alignment” is a concept in DMARC that expands the domain validation intrinsic to SPF and DKIM. DMARC domain alignment matches a message’s “from” domain with information relevant to these other standards:
For SPF, the message’s From domain and its Return-Path domain must match
For DKIM, the message’s From domain and its DKIM d= domain must match
The alignment can be relaxed (matching base domains, but allowing different subdomains) or strict (precisely matching the entire domain). This choice is specified in the published DMARC policy of the sending domain.
什么是 DMARC p= 策略?
The DMARC specification provides three choices for domain owners to use to specify their preferred treatment of mail that fails DMARC validation checks. These “p= policies” are:
none: treat the mail the same as it would be without any DMARC validation
quarantine: accept the mail but place it somewhere other than the recipient’s inbox (typically the spam folder)
reject: reject the message outright
Remember that the domain owner can only request, not force, enforcement of its DMARC record; it’s up to the inbound mail server to decide whether or not to honor the requested policy.
The DMARC specification provides three choices for domain owners to use to specify their preferred treatment of mail that fails DMARC validation checks. These “p= policies” are:
none: treat the mail the same as it would be without any DMARC validation
quarantine: accept the mail but place it somewhere other than the recipient’s inbox (typically the spam folder)
reject: reject the message outright
Remember that the domain owner can only request, not force, enforcement of its DMARC record; it’s up to the inbound mail server to decide whether or not to honor the requested policy.
The DMARC specification provides three choices for domain owners to use to specify their preferred treatment of mail that fails DMARC validation checks. These “p= policies” are:
none: treat the mail the same as it would be without any DMARC validation
quarantine: accept the mail but place it somewhere other than the recipient’s inbox (typically the spam folder)
reject: reject the message outright
Remember that the domain owner can only request, not force, enforcement of its DMARC record; it’s up to the inbound mail server to decide whether or not to honor the requested policy.
什么是DMARC报告?
DMARC reports are generated by inbound mail servers as part of the DMARC validation process. There are two formats of DMARC reports:
Aggregate reports, which are XML documents showing statistical data about the messages received that claimed to be from a particular domain. Date reported includes authentication results and message disposition. Aggregate reports are designed to be machine-readable.
Forensic reports, which are individual copies of messages which failed authentication, each enclosed in a full email message using a special format called AFRF. Forensic report can be useful both for troubleshooting a domain’s own authentication issues and for identifying malicious domains and web sites.
DMARC reports are generated by inbound mail servers as part of the DMARC validation process. There are two formats of DMARC reports:
Aggregate reports, which are XML documents showing statistical data about the messages received that claimed to be from a particular domain. Date reported includes authentication results and message disposition. Aggregate reports are designed to be machine-readable.
Forensic reports, which are individual copies of messages which failed authentication, each enclosed in a full email message using a special format called AFRF. Forensic report can be useful both for troubleshooting a domain’s own authentication issues and for identifying malicious domains and web sites.
DMARC reports are generated by inbound mail servers as part of the DMARC validation process. There are two formats of DMARC reports:
Aggregate reports, which are XML documents showing statistical data about the messages received that claimed to be from a particular domain. Date reported includes authentication results and message disposition. Aggregate reports are designed to be machine-readable.
Forensic reports, which are individual copies of messages which failed authentication, each enclosed in a full email message using a special format called AFRF. Forensic report can be useful both for troubleshooting a domain’s own authentication issues and for identifying malicious domains and web sites.
DMARC与SPF、DKIM或其他标准有什么关联?
DKIM, SPF, and DMARC are all standards that enable different aspects of email authentication. They address complementary issues.
SPF allows senders to define which IP addresses are allowed to send mail for a particular domain.
DKIM provides an encryption key and digital signature that verifies that an email message was not faked or altered.
DMARC unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test.
DKIM, SPF, and DMARC are all standards that enable different aspects of email authentication. They address complementary issues.
SPF allows senders to define which IP addresses are allowed to send mail for a particular domain.
DKIM provides an encryption key and digital signature that verifies that an email message was not faked or altered.
DMARC unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test.
DKIM, SPF, and DMARC are all standards that enable different aspects of email authentication. They address complementary issues.
SPF allows senders to define which IP addresses are allowed to send mail for a particular domain.
DKIM provides an encryption key and digital signature that verifies that an email message was not faked or altered.
DMARC unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test.
我需要 DMARC 吗?
如果您是一家发送商业或 交易邮件的企业,您绝对需要实施一种或多种形式的 电子邮件认证 来验证电子邮件确实来自您或您的企业。正确配置 DMARC 帮助接收邮件服务器确定如何评估声称来自您域的邮件,而这是改善邮件投递率的最重要步骤之一。
然而,像 DMARC 这样的标准仅能做到这些;MessageBird 和其他电子邮件专家 建议在 完整的消息策略 背景下实施 DMARC 电子邮件认证政策。
如果您是一家发送商业或 交易邮件的企业,您绝对需要实施一种或多种形式的 电子邮件认证 来验证电子邮件确实来自您或您的企业。正确配置 DMARC 帮助接收邮件服务器确定如何评估声称来自您域的邮件,而这是改善邮件投递率的最重要步骤之一。
然而,像 DMARC 这样的标准仅能做到这些;MessageBird 和其他电子邮件专家 建议在 完整的消息策略 背景下实施 DMARC 电子邮件认证政策。
如果您是一家发送商业或 交易邮件的企业,您绝对需要实施一种或多种形式的 电子邮件认证 来验证电子邮件确实来自您或您的企业。正确配置 DMARC 帮助接收邮件服务器确定如何评估声称来自您域的邮件,而这是改善邮件投递率的最重要步骤之一。
然而,像 DMARC 这样的标准仅能做到这些;MessageBird 和其他电子邮件专家 建议在 完整的消息策略 背景下实施 DMARC 电子邮件认证政策。
加入我们的Newsletter。
通过每周更新到您的收件箱,随时了解 Bird 的最新动态。
通过提交,您同意 Bird 可能会就我们的产品和服务与您联系。
您可以随时取消订阅。查看Bird的隐私声明以获取有关数据处理的详细信息。
加入我们的Newsletter。
通过每周更新到您的收件箱,随时了解 Bird 的最新动态。
通过提交,您同意 Bird 可能会就我们的产品和服务与您联系。
您可以随时取消订阅。查看Bird的隐私声明以获取有关数据处理的详细信息。
加入我们的Newsletter。
通过每周更新到您的收件箱,随时了解 Bird 的最新动态。
通过提交,您同意 Bird 可能会就我们的产品和服务与您联系。
您可以随时取消订阅。查看Bird的隐私声明以获取有关数据处理的详细信息。
