Adding DMARC settings

Procedure

1. Go to Inbound Protection → Domain-based Authentication → Domain-based Message Authentication, Reporting and Conformance (DMARC).
2. Click Add.
   The Add DMARC Settings screen appears.
3. Select a specific recipient domain from the Managed domain drop-down list.
4. Enable DMARC.
5. Optionally select Skip DMARC for email messages with no envelope sender addresses.
6. Optionally select Enable Authenticated Received Chain (ARC).
   Cloud Email Gateway Protection will successfully authenticate the email messages that fail DMARC authentication but pass ARC validation, and will also insert a set of ARC headers into these email messages.

   Here is an example of a set of ARC headers:

   ARC-Authentication-Results: i=2; tmes.trendmicro.com; spf=temperror (sender IP address: 10.135.11.245) smtp.mailfrom=example.com; dkim=none (no processed signatures) header.d=none; dmarc=fail action=none header.from=test.com; arc=pass

   ARC-Message-Signature: i=2; a=rsa-sha256; d=tmes.trendmicro.com; s=TM-DKIM-20200223173148; t=1628750516; c=relaxed/relaxed; bh=5ffn1pIbUBxx6CFHIVuU2HzEpEvAtzhWZ1Jz7ddgWws=; h=Date:From:To:Subject:Message-ID:Content-Type; b=cAaAR+7GtaByy8iSJiWo7GIf8T28Pjod3W2vWKcQWLH/7YA4n0X51cSBlPwtTygfX otqfftTsCNIO1/Xx5LtdE2KdVYZbVgrFo+WpDgtCXCLLw6sO7OsdsPSSPbcpEq8r6q ERfAqu5TNDLaj2+cR197bBhUFYVDJDe7pbfNaAy2g8GL3gOGrkWQcYw1DrRWXeOSEi 3i59afFHqH3LOY4cmlyWDpZxyDhhn7Rhb3ZNlw9aUuQtMj7iaXkxQaC1M/T6bxLEAE XXV4jczaONiJ/5XmsPlR0gvHr0SpC42isWxElyXr2J1C93HgeAmK1Db4JAOGV2mXMF I3fzA7jbSSLag==

   ARC-Seal: i=2; a=rsa-sha256; d=tmes.trendmicro.com; s=TM-DKIM-20200223173148; t=1628750516; cv=pass; b=LKQY/mrwXnJKLJIclybRcGQyWziCvHqIFBAZAYtTlz1aYQ2EiHaXaLbkmokgF8ibC zj5UwsJrIj20lpm0aB+qKDoy4Psme/I3JZNDa5B1OeLHvkcubfUq9bzfSZadkN/dWC N9FfbNSQwiZ0++SOLVwYCcIqh9PkWcfIJa7bo4sP7aUZjJkcXutfcm0q94J9j4fIgz HWxEh58pvjtuMrSKCVCyMIODGoEYa1EbD2EbiTI7iZ54VfPXHjR79b0+21xppZbVEN 0QZGWYuuCoLUrIWDhPzS0kyYyIumPIh4RLe8sMKaBrKECo89XU+BjfNuwZpAPJs/id Q6RbaHHVtp8XA==
7. Optionally select Insert an X-Header into email messages.
   X-Header is added to indicate whether DMARC authentication is successful or not.

   Here are some examples of X-Header:

   X-TM-Authentication-Results: spf=pass (sender IP address: 10.210.128.20) smtp.mailfrom=example.com; dkim=pass (signatures verified) header.d=example.com; dmarc=pass action=none header.from=example.com; arc=none

   X-TM-Authentication-Results: spf=fail (sender IP address: 10.204.148.40) smtp.mailfrom=example.com; dkim=fail (no verified signatures found) header.d=example.com; dmarc=fail action=none header.from=example.com; arc=none

   X-TM-Authentication-Results: spf=fail (sender IP address: 10.204.148.40) smtp.mailfrom=example.com; dkim=pass (signatures verified) header.d=example.com; dmarc=pass action=none header.from=example.com; arc=pass

   X-TM-Authentication-Results: spf=pass (sender IP address: 10.204.128.20) smtp.mailfrom=example.com; dkim=fail (no verified signatures found) header.d=example.com; dmarc=pass action=none header.from=example.com; arc=pass
8. Optionally select Deliver daily reports to senders.
   If you select this option, aggregated reports will be generated daily for authentication failures and sent back to email senders.
9. Under Intercept, specify how Cloud Email Gateway Protection responds when an email fails the DMARC mechanism check, based on the domain owner’s DMARC policy.
   A DMARC policy tag instructs recipients how to handle email messages that fail DMARC authentication. There are three values for the tag: none, quarantine, and reject. Cloud Email Gateway Protection enables you to decide whether to follow a domain owner’s DMARC policy and configure separate actions for sending domains with and without well-defined DMARC policies.
   • Log only: Do not follow the domain owner’s DMARC policy but log the result
     Select this option if you want to monitor for a while how well the domains often sending emails to your organization define their DMARC policy.
     Cloud Email Gateway Protection takes the Do not intercept messages action for any DMARC policy. Actions are not editable. The Tag subject and Send notification actions are disabled.
   • Fully apply: Follow the domain owner’s DMARC policy to take actions for all domains
     Select this option if you are confident that the domains often sending emails to your organization have well-defined DMARC policy.
     Click Configure actions by DMARC policy, and then configure Action, Tag subject, and Send notification to apply when an email fails the DMARC mechanism check.
   • Partially apply: Follow the domain owner’s DMARC policy to take actions for specified domains
     Select this option if you want to configure separate actions for sending domains with and without well-defined DMARC policies.
     • Click Configure actions by DMARC policy for specified domains with well-defined DMRC policies.
       1. Configure Action, Tag subject, and Send notification to apply when an email fails the DMARC mechanism check.
       2. Under Domains, select Use the header sender to match domains.

          Note The envelope sender address is always used for matching domains. Select this option when you want to use the sender address in the message header for matching as well.

       3. Specify one or multiple sender domain names and click + Add.
          • Supported domain name formats: example.com, subdomain.example.com, *.example.com
          • Domain name format not supported: *.com
       4. To search for existing domains, type a keyword and click Search.
          To import domains from a CSV file, click Import.
          The following import options are available:
          • Merge: append the domains to the existing list.
          • Overwrite: replace the existing list with the domains in the file.
          To export all domains to a CSV file, click Export.
     • Click Configure actions by DMARC policy for other domains, and then configure Action, Tag subject, and Send notification to apply when an email fails the DMARC mechanism check.
10. Under Tag and Notify, configure the subject tag and notification recipients that apply to the Tag subject and Send notification actions set under Intercept for DMARC mechanism check failure.
    • Tag subject

      Note Tags can be customized. When selecting the Tag subject action, note the following: This action may destroy the existing DKIM signatures in email messages, leading to a DKIM verification failure by the downstream mail server. To prevent tags from breaking digital signatures, select Do not tag digitally signed messages.

    • Send notification
      Click message to people to select the desired notification template from a list of available notifications.
11. Under Ignored Peers, do any of the following:
    • To add ignored peers to skip DMARC authentication for specific sender domains, specify one or multiple sender domain names, IP addresses, or CIDR blocks, and click Add.

      • Supported domain name formats: example.com, subdomain.example.com, *.example.com
      • Domain name format not supported: *.com
      Cloud Email Gateway Protection will not implement DMARC authentication for email messages from the specific domains, IP addresses, or CIDR blocks. The email messages will continue to the next step in the regular delivery process.

      Note For ignored peers specified using domain names, Cloud Email Gateway Protection uses senders' envelope addresses to match the domain names. The ignored peer list takes precedence over the partially applied domain list. If a message matches both lists, Cloud Email Gateway Protection skips DMARC authentication for the message. If you have enabled Skip DMARC for email messages with no envelope sender addresses under General Settings, such messages skip DMARC authentication even if their header sender addresses match the partially applied domain list.

    • To search for, import or export domains, perform similar operations as described in the previous step.
12. Click Add to finish adding the DMARC settings.

    Note All the settings you added take effect only when you click Add.