The subdomain record is optional, but if you use it, it is configured at _dmarc.subdomain.parentdomain.topdomain.   The p= term on the subdomain takes precedence over the sp clause on the parent.

Search for "RFC 7489" to read the full DMARC specification.

Hey Steve, 

Thanks for reaching out with this question. Currently, I would say that DMARC half works. 

The reject works but the quarantine does not. 

I'm going to have a meeting tomorrow or Wednesday with management regarding this and talk about how we should handle quarantine. 

Kind Regards, 

Hey Zach,
Hopefully, this will be addressed as more entities are blocking mail if SPF, DKIM and DMARC are not properly in place.

Does the Quarantine to Spam work as Douglas noted? Or does this require some rules or code on the Declude level to implement?

Steve, you are still confusing the two.    As long as you have a policy in place, your messages produce SPF PASS (to validate the MailFrom domain, and are DKIM signed (to vaidate the From domain), you should not need to worry about messages being blocked.  Whether you specify None, Quarantine, or Reject does not matter as long as the message produce PASS.

If you turn on SmarterMail DMARC,  you will filter incoming traffic based on the domain policy of the From address.   One form of spam uses  your domain for both From and To, and these messages will be detected as DMARC FAIL., so your DMARC policy will apply to those messages.   Based on the support comment, it appears that your policy will be ignored if it specifies Quarantine.

Unfortunately, there are legitimate sites that will do the very same type of impersonation, including a US Government website and the secure email feature of two big email filtering vendors.    That's why I consider the review process and exception mechanism of equal importance with DMARC FAIL detection.

About Declude:   The built-in SPF test does not handle multi-segment SPF records, causing incorrect results on a non-trivial percentage of messages.   So I have replaced it with a Declude custom filter that calls Pythom PYSPF.   The Python module DKIMPY does my DKIM evaluation.   (Both modules are open source.)   We customized DKIMPY a little to check all signatures that are similar to the From domain, and return a PASS or FAIL result.    We use a heuristic to define "similar", rather than the public suffix list, which is why I call it a poor man's implementation of DMARC.   A Python programmer should be able to build the missing PSL lookup logic into DKIMPY.

I am happy to share scripts from my implementation.

For receiving and processing DAMRC feedback reports, I use a free account at postmarkapp.com.   Limited features for free, advanced features for a price.

Hey All, 

I just wanted to give you an update on this. I had a meeting last week and it looks like we are going to add a spam weight that you can edit for when DMARC fails and the policy is set to Quarantine. 

We are not going to use the percentage tag inside of the DMARC records so using this feature would be the same as having DMARC PCT set to 100%. 

At this time we are also not going to be sending DMARC reports. But those two things may be added in the future if you guys submit a feature request and enough people want it. 

Kind Regards, 

No need to implement the PCT parameter.   It was a bad idea from the start, and it makes no sense for evaluators to pay attention to it.   The DMARC working group, which I have been monitoring, is writing an updated specification.  The PCT parameter is dropped in that draft.

This is generally related to the above conversation: a business colleague is sending emails to a user email address that is hosted on SmarterMail. That SmarterMail-hosted email address then forwards to the user's Gmail address. Gmail determines that DMARC was not followed, and since the original sender (the business colleague) has their DMARC policy set to Reject, their emails are getting bounced back.

When I send to the same user and the email gets forwarded to that user's Gmail account, and I look via "Show original", both SPF and DKIM show as "PASSED".

Is the business colleague doing something wrong when he sends (in his email setup)? Is there any way to have SmarterMail forward emails and keep DKIM or SPF intact for the business colleague? And, is there a way you know of to tell Gmail to ignore DMARC for this one particular sender? As you can tell, I am not sure what is going on, other than the fact that the bounce message says the emails for the business colleague failed DMARC and have a Reject setting.

Hey David, 

Thanks for reaching out. It sounds like they need to enable SRS. Per our documentation. 

I hope this helps. 

Thanks, 

Thank you, Zach. I have updated the SRS to "Enabled" and propogated it to all domains, and asked that colleague to try a test when he gets my email message. So hopefully that did the trick. Will let you (and others) know.

Is forwarding from an email address handled the same way as forwarding that an alias does?

I have to disagree with Zach.  SRS will no do nothing to fix your DMARC problem.   SRS rewrites the SMTP MailFrom address to use your domain.   That allows the forwarded message to pass SPF based on your domain, but does nothing for DMARC FAIL, because DMARC is based on the message From address, not the SMTP MailFrom address.   

Since DMARC checks the message's From header, the domain being verified is the originator's domain.   DMARC looks for alignment with a verified MailFrom address or alignment with a verified DKIM signature.   Forwarded mail will lose SPF alignment or SPF verification, so the only surviving authentication option is DKIM.

Given that the rejected message failed DKIM verification, it had one of two problems:

1) It never had a valid DKIM signature for the originator domain, or

2) Your environment added or altered content so that the DKIM signature became invalid.

A domain should never publish a "Reject" policy until they are certain that all messages are transmitted with signatures, but not everybody does what they should.    Given  your other comments, this seems like the most likely case.

But your environment could be causing the problem if 

(a) SmarterMail or your spam filter add any text, such as "This message received from an external source"

(b) You have a fancy spam filter that rewrites all links to provide "click-time" protection.

(c) You have SmarterMail configured to add a footer or signature to every outbound message.

(d) The target address is a SmarterMail mailing list address, and you have configured the list to add content to the subject or body to identify it as a list message.

If any of these apply, the solution is to disable any feature that is adding or altering message content.

Note that when Gmail (or anybody else) blocks a message, your server's reputation takes a hit.    If you take enough hits, you could have all of your messages to that organization getting blocked.  One organization posted in this forum about getting a temporary infection that led to a Gmail block.   The block was cleared after 30 days, during which time they lost all communication to the world's largest email system.   You could also end up on an RBL, and discover that your messages to lots of organizations are getting blocked.

Given that every email client handles multiple email accounts, there are very few good reasons to do message forwarding, and lots of downside risks.   I suggest reviewing whether you want to allow forwarding off of your system at all.  Unfortunately, SmarterMail has primitive options:   everybody can forward, or nobody can forward.

Product Directions:

SmarterMail (and every other mail product) should change the way that auto-forwarding is implemented.   Instead of applying a user forward setting automatically, the setting should generate an approval request to the domain admin or system admin.   The request should only be approved if the admin gets a message from the forwarding target account to confirm that it wants the forwarding stream.   This prevents mistakes and abuse.   Then the admin can decide whether the forwarding request is acceptable based on admin policy:  lots of organizations are subject to data privacy regulations which are violated as soon as the organization's communications are forwarded to a personal account.

Doug Foster

On the other hand, I know that Gmail has a relaxed approach to DMARC enforcement, so perhaps SRS will be sufficient for them.