Common DMARC Policy Errors

Our resident DMARC expert shared this information with us today and we thought you might find it useful.

When publishing your DMARC Policy record in the DNS, watch out for these common mistakes.

1. Escape character (\) - DMARC policies do not need to be enclosed in escaped quotes (\"). Nor do the semi-colon (;) field terminator characters need to be escaped (\;). It is possible that these escaped characters are an artifact of the utility used to view other DMARC policy records (for example, the *nix utility dig will escape both quotes and semicolons.)

2. Field terminator – Each of the fields in the DMARC record should be terminated by the semi-colon character. A lot of DMARC policies out there do not terminate the last field. Not normally a problem, but it is an inconsistency that could cause problems if you want to add another field to your DMARC record.

3. Bad email addresses – For both the RUA and RUF tags, an email address URI (mailto:{email_address}) is generally expected. Many DMARC policies have errors in the email addresses. Some invalid URIs we see include a missing URI type (";..."), or the email address only contains a local part ("...rua=mailto:postmaster;...") or the email address only contains a domain (";...").

Finally, while not an error, there are literally thousands of DMARC policies in the wild that do not include the RUA tag. Oddly, many of these do include an ri (Reporting Interval) tag. Similarly, many policies include a rf (Report Format) tag but no ruf tag. The ri tag is meaningless without a valid rua entry and the rf tag is meaningless without a valid ruf entry.

A heads-up for folks who have not noticed yet, the newest DMARC specification (here) changes the compression for the Aggregate Reports from zip to gzip. However, report receivers may wish to continue to support zip for a while until all of the Aggregate Report senders have a chance to switch over.

A complete description of DMARC can be found at the website.