DMARC Recommended Settings for Server with 250 Domains

We have a server with 250 domains. We need to choose one setting for DMARC that would be generally applicable to most domains. I don’t want to get too specific on the technicalities and will face those when they appear.

Would “Enable: Yes and Quarantine and 100% of messages” for example be a good default?

Any other suggestions?

One setting for all 250 domains on the server is the only sane way to do this. Please refer to the screenshot above of a production server, vps02. In this I have deviated from default and forced the selector to be vps02 so that the domains I host on the server will then have:
and so on…

This helps when there are multiple servers and multiple domains to be managed - one is able to identify the server that a DKIM records belongs to just by looking at it and equally importantly, keep redundant not colliding DNS records for DKIM. For example, for domainx.tld:
vps02._domainkey.domainx.tld used before migration
vps03._domainkey.domainx.tld needed after migration

Thanks @calport but I’m referring to DMARC not DomainKeys. See screenshot:


Options are only enable or disable and then:

  • Take no action
  • Quarantine email
  • Reject email

Then % of message applied to.

For now we’re going with:

  • Enable
  • Quarantine
  • 100% of messages
virtualmin modify-dns --dmarc --all-domains

That should do it, I think?
Just make sure that the DMARC settings are those you require under ‘System Settings → Server Templates’ first.

1 Like

I did more research and found this:

Quarantine policy p=quarantine With the DMARC policy quarantine, Internet Service Providers which have adopted DMARC will put emails which are failing the DMARC check in special ‘quarantine’ folders e.g. the junk or spam folder. The p=quarantine DMARC policy influences the way email is handled, however failing emails will still arrive.

It seems quarantine is the most logical, since it stores failed DMARC message in the SPAM folder. Will stick to that for now.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.