What is DMARC?
DMARC (Domain-Based Message Authentication Reporting & Conformance) is an email authentication protocol, policy, and reporting protocol that allows organizations to protect their domain from unauthorized use, including spoofing, phishing, and other forms of spoofing. You must ensure that your organization complies with DMARC before you are eligible for a VMC.
This process can take weeks to complete depending on how large your company is (bigger = more). It's best to start immediately. This blog provides a basic overview of the process.
For more information on securing your organization's email access, check out our blog on DMARC Benefits.
What you'll need
Before you start, ensure that you have the following:
- A .txt editor (e.g., Notepad++, Vim, Nano, etc.)
- Access to the DNS records of your domain
- You can reach your server administrator if you cannot manage your DNS.
Step 1: Gather IP addresses to SPF
Setting up Sender Policy Framework (also known as SPF) is the first step in becoming DMARC compliant. It will stop unauthorized IP addresses from sending emails from your domain.
First, create a list with all authorized IP addresses that send mail from your domain.
- In-office mail server
- Mail server for ISP
- Any third-party mail servers
If you cannot find all IP addresses yet, don't panic. DMARC monitoring (step 4) can take care of this for you. It is good to gather as many documents as possible at this stage.
Step 2: Create an SPF record for your domain.
Next, use your text editor to create an SPF record.
Example 1: v=spf1 Ip126.96.36.199.4 ip188.8.131.52.5 ip4.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.
Example 2: v=spf1 ip4:184.108.40.206 ip4:220.127.116.11 include:thirdparty.com -all
Save the file once you are done.
To ensure everything is correct, use an SPF tool.
Step 3: Configure DKIM
DKIM, an email authentication standard, uses public/private keys cryptography to sign emails. It protects messages from being altered in transit.
- First, select a DKIM chooser.
Example: “standard._domain.example.com” = hostname
- Next, create a public-private key pairing for your domain.
PUTTYGen is a Windows tool that allows you to create custom windows.
Linux/Mac: Use ssh-keygen
- Your DNS management console allows you to create and publish a new record for.TXT.
It should look something like this: v=DKIM1 p=YourPublicKey
Step 4: Monitor. Communicate. Continue to communicate.
It is the most crucial step. This step is also the most tedious. You will need to set up DMARC to monitor your email traffic and get a baseline of what was approved.
Note: Although it might be tempting to jump straight to enforcement, monitoring now will ensure important messages are not lost or permanently deleted after DMARC has been fully enabled.
Here are some ways to monitor your traffic using DMARC.
- Make sure you have correctly set up DKIM and SPF.
- Make a DNS record.
The “txt” DMARC record should be similar to “_dmarc.your_domain.com.”
Example: “v=DMARC1;p=none; rua=mailto:dmarcreports@your_domain.com”
You can create a “p=none” (monitoring mode) DMARC record if you manage your domain's DNS. It is the same procedure as for the DKIM and SPF records.
If you cannot manage the DNS, your DNS provider can create the DMARC records for you.
- A DMARC check tool can be used to verify your DMARC record.
Replication usually takes 24-48 hours.
DMARC will now generate reports that will provide you with a lot more visibility into the mail going through your domain and any messages flagged or flagged by DKIM and SPF.
Important: Here, you will find out if there are any legitimate senders in the report that weren't already included in your SPF records (step 1). You should update your record if there are.
Problem? The problem? We recommend using a DMARC processor as the data will be difficult to read.
Step 5: Socialize, then start stepping up enforcement
Once you have viewed enough mail to believe that legitimate messages are being flagged as unauthorized, you can now start to enforce your rights.
DMARC offers two levels of enforcement: “quarantine” and “reject.” While “reject” is our final recommendation, it will still qualify your domain as a VMC.
However, before jumping to rejection, it is best to spend some time in quarantine. Here's how:
- Log in to your DNS server, and search for the DMARC Record.
- Open the DMARC records for the domain you are interested in and change the policy to “p=quarantine.”
- Add the flag “pct”, which indicates how many messages are subject to filtering. Start with 10%, and slowly increase the percentage until you reach 100%.
Once you have reached 100% filtering, your VMC qualification is complete, and you can start rejecting.
It is the easiest step.
- Change “p=quarantine” to “p=reject” in your DMARC file
Congratulations! Officially, you have a lot more visibility into the messages coming from your domain. It has increased security for all users, protected yourself against large numbers of phishing attacks, and qualified your organization to receive a VMC certificate.