Please enable JavaScript to view this site.

MDaemon Messaging Server 21.0

Navigation: Security Menu > Security Manager > Sender Authentication > DMARC

DMARC Verification

Scroll Prev Top Next More

DMARC Verification

Enable DMARC verification and reporting

When this option is enabled, MDaemon will perform DMARC DNS queries on the domain found in the From: header of incoming messages, and it will send aggregate and failure reports if you have set it to do so on the DMARC Reporting screen. DMARC uses SPF and DKIM to validate messages, therefore at least one of those features must be enabled before DMARC can be used. DMARC verification and reporting is enabled by default and should be used in most MDaemon configurations.

Disabling support for DMARC could allow an increase in spam, phishing, or otherwise forged messages getting to your users. It could also cause some of your mailing list messages to be rejected by other servers and even cause some list members to be dropped from your lists. You should not disable DMARC unless you are absolutely sure that you have no need of it.

Do not verify messages from authenticated sessions

By default MDaemon will not perform DMARC queries on messages that are received over an authenticated session. Authenticated sessions include those verified by SMTP Authentication, POP before SMTP, or the IP Shield.

Do not verify messages from trusted IPs

By default MDaemon will not perform DMARC queries on messages that are coming from a trusted IP address.

Cache DMARC records

By default MDaemon will cache the DMARC record data found during the DNS lookup. By temporarily caching this information, you can increase efficiency when processing similar messages that arrive in the near future from the same domain.


This button opens the DMARC cache, which lists all currently cached DMARC records.

White list

Click this button to open the DMARC exception list. Messages originating from any IP addresses specified on the list will not be subject to DMARC verification.

DMARC Verification also honor VBR certification, and the Approved List, which can white list based on verified DKIM identifiers and SPF paths from sources you trust. So, for example, if a message arrives that fails the DMARC check but has a valid DKIM signature from a domain on the Approved List, the message is not subject to punitive DMARC policy (i.e..the message is treated as if the policy were "p=none"). The same happens if SPF path verification matches a domain on the Approved List.

DMARC Message Disposition

Honor p=reject when DMARC produces a 'FAIL' result

By default this option is enabled, meaning that MDaemon will honor the p=reject DMARC policy when a message's From: domain has published that policy in its DMARC record and the message fails DMARC verification. Messages failing DMARC verification will be refused during the SMTP session.

When this option is disabled and a message fails DMARC verification, MDaemon will insert the "X-MDDMARC-Fail-policy: reject" header into the message instead of refusing to accept it. In that case you could use the Content Filter to perform some action based on the presence of that header, such as sending the message to a specific folder for further scrutiny. Further, you could use the "Filter messages which fail the DMARC test into spam folders" option below to cause the message to be placed into the recipient's spam folder.

Even if you leave this option disabled, the message could still be rejected for some other reason unrelated to DMARC, such as having a Spam Filter score above the permitted threshold.

Filter messages which fail the DMARC test into spam folders

Enable this option if you wish to filter messages automatically into the recipient account's spam (i.e. junk e-mail) folder whenever a message fails DMARC verification. If this folder doesn't yet exist for the user, MDaemon will create one when needed.

When enabled, this option is only applied when the From: domain has published a restrictive DMARC policy (i.e. p=quarantine or p=reject). When the domain publishes a p=none policy then that indicates that the domain is only monitoring DMARC and no punitive measure should be taken.