As phishing and email-based attacks are getting popular, you have to configure your DMARC settings to solidify your defenses against impending cyberattacks. Setting up the DMARC (Domain-based Message Authentication Reporting and Conformance) protocol is your first step toward gaining compliance with your emails. The fastest possible way to achieve this is by creating a DNS record and getting it published with the help of your hosting provider.
To configure DMARC, you need to start by creating a DMARC record. As complicated as it may sound, the process of setting up DMARC is comparatively straightforward!
DMARC Setup Explained
A DMARC setup is an email authentication process that aids organizations in combating email spoofing, phishing, and email fraud. To validate the authenticity of email communications, DMARC settings work in concert with other email authentication systems such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
Why You Should Configure DMARC?
90% of phishing attacks use email as a vector, making email authentication indispensable. The FBI’s Internet Crime Complaint Center of 2020 (FBI IC3 Report 2020) reported that 28,500 complaints were received in the US on email-based attacks. This instantly brings DMARC to the forefront.
Did You Know?
- 75% of organizational domains from all around the world were spoofed in 2020 to send phishing emails to victims
- 74% of those phishing campaigns were successful
- The frequency of BEC has increased by 15% since last year
- IBM reported that one in every 5 companies in the last year has experienced data breaches caused by malicious emails
Check your domain right now to see how protected you are against email fraud!
Requirements for a DMARC Setup
Should you set up a DMARC record, and decide to go for it, there are certain prerequisites that you need to have in place before you move on to implementation.
- You need access to your DNS management console
- Make sure you recognize all your authorized email senders
- Published SPF and/or DKIM record in your DNS
Foundational Elements of Your DMARC Setup: SPF and DKIM Alignment
To configure your DMARC policy setting, you need you implement either Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM), or both.
SPF tells mail servers which IP addresses or sending sources are allowed to send outbound mail from your domain. DKIM adds a digital signature to outgoing mail to prevent message alterations. This prevents spam messages and fraud emails from reaching your email clients by impersonating your brand in phishing scams.
You can configure your domain alignment to pass for partial matches for your SPF and DKIM header fields with the From: domain, or you can opt for a more stringent authentication by opting for an exact match instead.
How to Setup DMARC? A Step-by-Step Guide
To kick-start your DMARC DNS setup, follow the setup steps given below:
Step 1: Create the DMARC record
You start by creating a DNS record that defines your policy and establishes the implementation.
To create a free record use our DMARC generator tool as shown in the screenshot above. Once you open the tool screen there will be some mandatory criteria that you need to fill in.
Step 2: Choose a suitable DMARC policy for your emails
The p= policy tag is a mandatory tag that needs to be configured in your DMARC setup. If you skip this, your record will be invalid.
The p= policy tag is a mandatory tag that needs to be configured in your DMARC setup. If you skip this, your record will be invalid.
To prevent your emails from getting spoofed, you need to configure a DMARC policy of p=quarantine or higher. However, you can choose a “none” policy if you wish to monitor your emails before committing to full enforcement.
Step 3: Enable Reporting and Click “Generate”
The rest of the criteria are not mandatory, however, if you want to set up alignment flexibilities for DKIM and SPF or enable DMARC reporting, you can. RUA and RUF reports can help you track your mail flow and authentication results to detect inconsistencies quickly.
Finally, click on the “generate” button to finalize your DMARC settings and finish the process of creating your record.
Step 4: Publish and Validate the Record Setup
Once you are done creating the TXT record, use the “copy” button to directly copy the syntax and then head over to your DNS management console. Paste the record on your DNS to finish your DMARC setup.
Read our detailed guide on how to publish a DMARC record on your DNS to learn more.
DMARC Setup Example
Here is an example of a typical DMARC setup:
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:mymail@domain.com; ruf=mailto:mymail@domain.com; pct=100; fo=0;
Note: While beginning your email authentication journey, you can keep your DMARC policy (p) at none instead of reject, to monitor your email flow and resolve issues before shifting to a strict policy.
Debunking the Record Syntax
The syntax of your DMARC setup is the most important part of your implementation as it determines how your emails will be authenticated and the action that will be taken post-verification. Let’s explore some primary mechanisms:
- The “v” field determines the protocol version of DMARC that is DMARC1
- The “p” field is the mandatory DMARC policy field that can be set to none/reject/quarantine policy
- The “rua” aggregate feedback and “ruf” forensic reports fields are DMARC reporting options that help receiving ESPs provide feedback on emails sent to your recipients, which would be sent to your defined email address or dedicated mailbox
These are just a few to mention, you can explore more in our detailed blog on DMARC tags.
Verifying Your DMARC Record Setup
After you have set up DMARC, you must verify your configurations to make sure the protocol is operating as per your needs. Without proper checks and monitoring in place, authenticating your emails can get very challenging and lead to false positives or failures, impacting your mail delivery performance.
To verify your setup, you can use PowerDMARC’s DMARC checker tool for free. It’s an instant and effective tool to validate your DNS TXT record that not only shows the status of your record’s validity but also highlights errors and suggests improvements to achieve compliance sooner!
To use it:
- Enter your domain name in the destination box (i.e. if your website URL is https://company.com your domain name will be company.com)
- Click on the “Lookup” button
- See your results displayed on the screen
We would recommend this verification method, as an alternative to manual verification for a quicker, more accurate, and hassle-free experience.
Can You Set Up DMARC without DKIM or SPF?
No. You need to configure either of the two to make sure your emails are authenticated. You may choose to set up both, which is the recommended approach for maximum security, however, that is completely optional.
We have covered both approaches in depth in our knowledge base.
Benefits and Uses of a DMARC Setup
A DMARC setup can be useful in the following situations:
- To ensure only authorized senders are allowed to send emails on your email domain’s behalf
- To prevent email phishing and direct-domain spoofing attacks
- To view the IP addresses or sources sending emails on your behalf
- To prevent spammy messages from reaching your recipients
- To improve the email deliverability of legitimate email traffic
What are the best DMARC settings?
The best DMARC setting, if you want maximum protection against email-based attacks, is p=reject (where p is the mechanism used to specify your record policy). A suitable DMARC setting depends on the amount of enforcement you desire (how stringently you want receivers to handle emails that fail DMARC).
For monitoring only, you can set up DMARC with a “none” policy, while you can configure “quarantine” if you want to review unauthorized emails in your quarantine or spam folder before discarding or accepting them.
Leveraging DMARC to Prevent Domain Spoofing
Note that if you want to configure DMARC to stop your domain from being Spoofed and keep phishing and BEC attacks at bay, we recommend you select the following criterion while generating your DMARC record:
Set your DMARC policy to p=reject
What does this mean?
When you configure DMARC enforcement at your organization by choosing “reject” DMARC settings, this means that whenever an email message sent from your domain fails DMARC authentication, the malicious email is instantly rejected by the receiving email server, instead of being delivered to your email receiver’s inbox.
How to Turn Off DMARC?
It’s important to bear in mind that turning off email authentication for your domains is not recommended or encouraged as it leaves your domains vulnerable to a wide range of cyber-attacks and provides open access to cybercriminals to impersonate your domain. Having considered that, if you still want to disable the protocol you can follow the steps given below:
- Access your DNS registrar’s management console
- Navigate to the advanced DNS editor to edit your DNS settings
- Locate the domain for which you want to disable DMARC
- Delete the DMARC TXT record
- Save changes and wait for some time for the changes to reflect
You can alternatively contact your domain registrar to help you delete the record in case you don’t have access to the console.
Deleting the DNS entry for DMARC will automatically disable the protocol for the particular domain. However, if you have multiple domains with DMARC enabled, you need to manually delete DNS entries for the said domains to disable them for your organization.
Setup DMARC Easily with PowerDMARC
When you create an account on PowerDMARC, we handle protocol implementation and setup for you. We also manage and monitor the health of your domain and emails, parse your aggregate reports, and organize your authentication results on a dedicated dashboard.
If you don’t want to go through the hassle of a manual setup, you can automate the process by taking a free 15-day trial with us. To enjoy the benefits of email authentication, and set up DMARC in a way that would effectively protect your domain, sign up with DMARC analyzer today!
- Fix SPF Permerror: Overcome SPF Too Many DNS Lookups Limit - April 26, 2024
- How to Publish a DMARC Record in 3 Steps? - April 2, 2024
- Why is DMARC failing? Fix DMARC Failure in 2024 - April 2, 2024