If you’re new to email authentication and DMARC analyzer, there are a few DMARC rules that you need to follow starting today that can prove to be a game-changer in your email authentication journey. To summarize a few of the most basic rules:
1. Don’t use a policy that allows no authentication
4. Set up SPF records for your domain(s) as well
5. Set up DKIM signature for your domain(s)
Now let’s delve deeper and explore these DMARC rules along with others, to help you strengthen your overall authentication infrastructure.
We’ve all heard about DMARC, but what is it?
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. It’s an email security protocol that helps ensure your email is authenticated before it is delivered to minimize domain forgery. It was created with the goal of preventing phishing attacks and other email attacks by verifying that the sender of an email is who they say they are.
How do you use DMARC?
It’s simple! First, you set up your domain’s DNS records to indicate that you want to use DMARC. Then, if someone tries sending an email from your domain without using DMARC, they won’t be able to send it unless they have a public key associated with their domain—which is only possible if they’re authorized. This ensures that only legitimate emails will reach recipients’ inboxes, while also allowing people to set up notifications for messages that come from outside their network.
The process works as follows:
- A sender sets up a DMARC record for their domain with an SPF record and enables DKIM signing (optional but recommended) in their DNS records.
- When an email is sent from that domain, it contains a header with information about what settings were used and what they were set to. This header can be used by receivers such as Gmail to check whether the message has been sent according to the expected format or not.
- If there is an issue with any of these settings then it will be flagged as either failing or soft failing depending on whether or not this was intentional on behalf of the sender; if so then they may choose to ignore it altogether until they have fixed whatever caused it.
One thing we love about DMARC is how easy it is to set up—it can be done in just a few steps!
DMARC Rules 101 for Businesses
When you’re setting up a DMARC policy, there are a few rules you should follow. Here is a list of the top 5 most important DMARC rules:
- The policy must be a TXT record, and it must be published on your DNS. If you don’t have a TXT record in your DNS, you have not implemented the protocol.
- The policy should be p=reject or p=quarantine if you want to block messages that aren’t authenticated.
- If you’re using multiple policies and setting up different levels of authentication for each one (like “my brand” vs “my organization”), make sure they all have unique SPF records and DKIM signatures! Otherwise, they’ll all get lumped together under one rule and won’t sync well.
- DMARC also requires you to set up SPF and/or DKIM records for your domain. This rule is mandatory even if you don’t want to use DMARC because it helps prevent spoofing attacks where an attacker can use someone else’s email address or domain name to send phishing emails that appear legitimate but aren’t actually from an authorized source.
- Another important DMARC rule requires you to publish a DMARC record containing your email address so that other organizations can report any issues related to your emails using this system. These are known as DMARC reports.
Additional DMARC rules for enhanced protection
- Consider setting up a DMARC policy for your parked domains (inactive domains) since even they can be spoofed by attackers to successfully impersonate your brand.
- Setting up multiple SPF or DMARC records for the same domain is strictly discouraged. A single domain should contain only one SPF and DMARC record. However, you may choose to configure more than one DKIM record for the same domain to enable periodic key rotation for better protection.
- You can skip on setting up a policy for your subdomains unless you wish to implement a different mode of enforcement for them. This is because DMARC policies for your main domain get automatically inherited by subdomains.
- If you want to receive DMARC reports outside your domain (on an external email address that doesn’t fall within the scope of your own domain) you need to enable external domain verification to tell servers that the external domain consents to receiving those reports.
- Finally, it is important to note that DMARC is no silver bullet and doesn’t protect you against all attacks. You do need to have a reliable antivirus and firewall in place along with DMARC to scale up your security.
At which stage of your authentication process should you implement these DMARC rules?
If you’re just starting out, you do not need to abide by all of the above-mentioned DMARC rules at the very beginning of your authentication process. For example, a p=reject policy to start with may cause complications in deliverability. It is instead recommended you start with a none policy to monitor your email channels before committing to enforcement.
Here’s where matters may get a little complicated. It is crucial that you determine a pace that works best for you and your business. Start slowly by implementing relaxed policies for your protocols so you can have complete control over them until you’re ready to opt for enforcement.
- Identifying and Safeguarding PII (Personally Identifiable Information) - February 28, 2024
- Types of Cybersecurity Threats and Vulnerabilities - February 15, 2024
- Klaviyo DMARC, SPF, and DKIM Setup Guide - February 15, 2024