As part of the DMARC verification process, SecurityGateway performs a DMARC DNS query on the domain found in the From: header of each incoming message. This is done to determine whether or not the domain uses DMARC, and if so, to retrieve its DMARC DNS record, which contains its policy and other DMARC related information. Additionally, DMARC utilizes SPF and DKIM to validate each message and requires it to pass at least one of those tests in order to pass DMARC verification. If the message passes then it will proceed normally through the rest of SecurityGateway's delivery and filtering processes. If it fails, however, then the fate of the message is determined by a combination of the domain's DMARC policy and how you have configured SecurityGateway to deal with those messages.
If a message fails DMARC verification and the DMARC domain has a policy of "p=none" then no punitive action will be taken and normal message processing will continue. Conversely, when the DMARC domain has a restrictive policy of "p=quarantine" or "p=reject," SecurityGateway can optionally reject the message, filter it automatically to the receiving user's Quarantine folder, add some text to its Subject header, or adjust its Message Score. Additionally for failed messages with restrictive policies, SecurityGateway will insert the "X-SGDMARC-Fail-policy: quarantine" or "X-SGDMARC-Fail-policy: reject" header, depending on the policy. This makes it possible for you to use a Sieve Script or your mail server's content filtering system to perform some action based on the presence of those headers, such as sending the message to a specific folder for further scrutiny.
DMARC Verification
Enable DMARC verification and reporting
When this option is enabled, SecurityGateway will perform DMARC DNS queries on the domain found in the From: header of incoming messages, and it will send aggregate and failure reports if you have set it to do so on the DMARC Reporting screen. DMARC uses SPF and DKIM to validate messages, therefore at least one of those features must be enabled before DMARC can be used. DMARC verification and reporting is enabled by default and should be used in most SecurityGateway configurations.
Enable Authenticated Received Chain (ARC) Verification
Check this box to enable ARC verification. ARC is an email authentication protocol that allows intermediate mail servers to digitally sign a message's authentication results, so that when the message continues to its final destination, it can still be verified even though SPF or DKIM verification might fail due to redirecting or mailing list modifications. ARC Verification allows you to specify domains whose ARC results you trust so that by reviewing those results SecurityGateway can determine whether to accept the message. For more information on the ARC protocol, see: RFC 8617: The Authenticated Received Chain (ARC) Protocol.
Manage Trusted ARC Sealers
Click this button to manage your Trusted ARC Sealers, which are the domains whose ARC results you trust. ARC results from non-trusted domains are ignored when doing DMARC verification.
Disabling support for DMARC could allow an increase in spam, phishing, or otherwise forged messages getting to your users. In some cases it could also cause some of your mail servers' mailing list messages to be rejected by other servers and even cause some list members to be dropped from your lists. You should not disable DMARC unless you are absolutely sure that you have no need of it. |
When verification returns a REJECT result:
This is the action that will be taken when an incoming message fails the DMARC verification process and the purported sending domain's DMARC DNS record is set to p=reject.
...refuse the message
Choose this option if you wish to refuse messages during the SMTP process when the DMARC verification process returns a REJECT result. This option is selected by default.
Even if you choose not to refuse these messages, a message could still be refused for some other reason, such as your SPF or DKIM settings, or for having a Message Score above the permitted threshold. |
...quarantine the message
Choose this option if you wish to quarantine messages rather than reject them when the DMARC verification process returns a REJECT result. With this option you can also use the "...tag the subject with [ text ]" and "...add [xx] points to message score" options below.
...accept the message
When this option is chosen, SecurityGateway will accept messages that receive a REJECT result from the DMARC verification process, but you can still use the options below to tag their subject headers and adjust their Message Scores.
...tag the subject with [ text ]
When you have configured SecurityGateway to accept or quarantine a message that fails DMARC verification with a REJECT directive, enable this option and specify some text if you wish to add something to the beginning of the message's Subject header. If enabled, the default text added to the subject is: "*** FRAUD ***". By using this option you could leave it to the recipient's mail server or client to filter the message based on the tag. This option is disabled by default.
There are a number of other places within SecurityGateway where you can optionally add text to the Subject header. For example, the SPF and Message Scoring pages also have this option. When the designated text in these options matches, the tag will only be added to a message's subject once even if that message meets the criteria under each option. If, however, the text differs between the options, then each unique tag will be added. For example, the default text in this option is "*** FRAUD ***" but the default text in Message Scoring is "*** SPAM ***". Because the two tags are different, both would be added to messages matching the criteria of both options. But, if you changed the text in one of the options to be identical to the other one, then the tag would be added only once. |
...add [xx] points to message score
By default, when you have configured SecurityGateway to accept or quarantine a message that fails DMARC verification for a domain with a REJECT policy directive, this option adds the specified value to the Message Score. If the final score for the message is high enough then that could still cause the message to be quarantined or refused, depending on your Message Scoring settings. By default this option adds 5.0 points to the Message Score.
When verification returns a QUARANTINE result:
This is the action that will be taken when an incoming message fails the DMARC verification process and the purported sending domain's DMARC DNS record is set to p=quarantine.
...refuse the message
Choose this option if you wish to refuse messages during the SMTP process when the DMARC verification process returns a QUARANTINE result.
...quarantine the message
Choose this option if you wish to quarantine messages rather than reject them when the DMARC verification process returns a QUARANTINE result. With this option you can also use the "...tag the subject with [ text ]" and "...add [xx] points to message score" options below. This option is selected by default.
...accept the message
When this option is chosen, SecurityGateway will accept messages that receive a QUARANTINE result from the DMARC verification process, but you can still use the options below to tag their subject headers and adjust their Message Scores.
...tag the subject with [ text ]
When you have configured SecurityGateway to accept or quarantine a message that fails DMARC verification with a QUARANTINE directive, enable this option and specify some text if you wish to add something to the beginning of the message's Subject header. If enabled, the default text added to the subject is: "*** FRAUD ***". By using this option you could leave it to the recipient's mail server or client to filter the message based on the tag. This option is disabled by default.
There are a number of other places within SecurityGateway where you can optionally add text to the Subject header. For example, the SPF and Message Scoring pages also have this option. When the designated text in these options matches, the tag will only be added to a message's subject once even if that message meets the criteria under each option. If, however, the text differs between the options, then each unique tag will be added. For example, the default text in this option is "*** FRAUD ***" but the default text in Message Scoring is "*** SPAM ***". Because the two tags are different, both would be added to messages matching the criteria of both options. But, if you changed the text in one of the options to be identical to the other one, then the tag would be added only once. |
...add [xx] points to message score
By default, when you have configured SecurityGateway to accept or quarantine a message that fails DMARC verification for a domain with a QUARANTINE policy directive, this option adds the specified value to the Message Score. If the final score for the message is high enough then that could still cause the message to be quarantined or refused, depending on your Message Scoring settings. By default this option adds 2.0 points to the Message Score.
Exclusions
Exclude messages from allowlisted IP addresses
By default, messages coming from allowlisted IP addresses will be exempt from DMARC verification. Clear this checkbox if you wish to use DMARC verification even when the sender is on the IP Address allowlist.
Exclude messages from authenticated sessions
Messages arriving over authenticated SMTP sessions are excluded from DMARC verification by default. Clear this checkbox if you wish to use DMARC verification even when the SMTP session is authenticated.
Exclude messages from domain mail servers
Messages coming from one of your domain mail servers will be exempt from DMARC verification by default. Clear this checkbox if you wish to use DMARC verification even for messages coming from those servers.