A proper DMARC setup protects your organization from email spoofing, phishing, and other email-based cyberattacks. By configuring the DMARC (Domain-based Message Authentication Reporting and Conformance) protocol, you create a robust layer of security for your emails, ensuring they are authenticated and compliant with modern standards. This setup process involves creating a DNS record and working with your hosting provider to publish it, making email security more accessible and manageable.
Key Takeaways
- DMARC setup protects against email spoofing and phishing by authenticating emails with SPF and DKIM.
- DMARC records, defined in DNS, determine how unauthorized emails are handled through policies like
none
,quarantine
, orreject
. - Setting up DMARC involves creating a record, selecting a policy, enabling reporting, and publishing it in DNS.
- Regular verification and monitoring of DMARC records are essential to ensure correct configurations and avoid delivery issues.
- Using
p=reject
offers maximum protection by preventing unauthorized emails from reaching recipients.
Prerequisites for Setting Up DMARC
Before we jump to the DMARC setup process, ensure you have the following in place:
- Access to your DNS management console: This is essential for creating and publishing DNS records.
- List of Authorized Email Senders: Identify all the services and servers that send emails on your behalf to avoid unintentional blocking.
- Existing SPF and/or DKIM record in your DNS: At least one of these records should already be configured in your DNS, as DMARC relies on them for email authentication.
How to Set Up DMARC Step-by-Step
To kick-start your DMARC DNS setup, follow the setup steps given below:
Step 1: Create the DMARC record
You start by creating a DNS record that defines your policy and establishes the implementation.
To create a free record use our DMARC generator tool as shown in the screenshot above. Once you open the tool screen there will be some mandatory criteria that you need to fill in.
Step 2: Choose a suitable DMARC policy for your emails
The p= policy tag is a mandatory tag that needs to be configured in your DMARC setup. If you skip this, your record will be invalid.
To prevent your emails from getting spoofed, you need to configure a DMARC policy of p=quarantine or higher. However, you can choose a “none” policy if you wish to monitor your emails before committing to full enforcement.
Step 3: Enable Reporting and Click “Generate”
The rest of the criteria for a DMARC setup are not mandatory, however, if you want to set up alignment flexibilities for DKIM and SPF or enable DMARC reporting, you can. RUA and RUF reports can help you track your mail flow and authentication results to detect inconsistencies quickly.
Finally, click on the “generate” button to finalize your DMARC settings and finish the process of creating your record.
Step 4: Publish and Validate the Record Setup
Once you are done creating the TXT record, use the “copy” button to directly copy the syntax and then head over to your DNS management console. Paste the record on your DNS to finish your DMARC setup.
Read our detailed guide on how to publish a DMARC record on your DNS to learn more.
Verifying Your DMARC Setup
After you have set up DMARC, you must verify your configurations to make sure the protocol is operating as per your needs. Without proper checks and monitoring in place, authenticating your emails can get very challenging and lead to false positives or failures, impacting your mail delivery performance.
To verify your setup, you can use PowerDMARC’s DMARC checker tool for free. It’s an instant and effective tool to validate your DNS TXT record that not only shows the status of your record’s validity but also highlights errors and suggests improvements to achieve compliance sooner!
To use it:
- Enter your domain name in the destination box (i.e. if your website URL is https://company.com your domain name will be company.com)
- Click on the “Lookup” button
- See your results displayed on the screen
We would recommend this verification method, as an alternative to manual verification for a quicker, more accurate, and hassle-free experience.
DMARC Setup Example
Here is an example of a typical DMARC setup:
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; fo=0;
Note: While beginning your email authentication journey, you can keep your DMARC policy (p) at none instead of reject, to monitor your email flow and resolve issues before shifting to a strict policy.
DMARC Record Syntax
The syntax of your DMARC setup is the most important part of your implementation as it determines how your emails will be authenticated and the action that will be taken post-verification. Let’s explore some primary mechanisms:
- The “v” field determines the protocol version of DMARC that is DMARC1
- The “p” field is the mandatory DMARC policy field that can be set to none/reject/quarantine policy
- The “rua” aggregate feedback and “ruf” forensic reports fields are DMARC reporting options that help receiving ESPs provide feedback on emails sent to your recipients, which would be sent to your defined email address or dedicated mailbox
These are just a few to mention, you can explore more in our detailed blog on DMARC tags.
Why You Should Configure DMARC
90% of phishing attacks use email as a vector, making email authentication indispensable. The FBI’s Internet Crime Complaint Center of 2020 (FBI IC3 Report 2020) reported that 28,500 complaints were received in the US on email-based attacks. Email phishing statistics like these instantly brings DMARC to the forefront.
Did You Know?
- 75% of organizational domains from all around the world were spoofed in 2020 to send phishing emails to victims
- 74% of those phishing campaigns were successful
- The frequency of BEC has increased by 15% since last year
- IBM reported that one in every 5 companies in the last year has experienced data breaches caused by malicious emails
Check your domain right now to see how protected you are against email fraud!
Benefits and Uses of a DMARC Setup
A DMARC setup can be useful in the following situations:
- To ensure only authorized senders are allowed to send emails on your email domain’s behalf
- To prevent email phishing and direct-domain spoofing attacks
- To view the IP addresses or sources sending emails on your behalf
- To prevent spammy messages from reaching your recipients
- To improve the email deliverability of legitimate email traffic
DMARC Setup FAQ
1. Can You Set Up DMARC without DKIM or SPF?
No. You need to configure either of the two to make sure your emails are authenticated. You may choose to set up both, which is the recommended approach for maximum security, however, that is completely optional.
We have covered both approaches in depth in our knowledge base.
2. What are the Best DMARC Settings?
The best DMARC setting, if you want maximum protection against email-based attacks, is p=reject (where p is the mechanism used to specify your record policy). A suitable DMARC setting depends on the amount of enforcement you desire (how stringently you want receivers to handle emails that fail DMARC).
For monitoring only, you can set up DMARC with a “none” policy, while you can configure “quarantine” if you want to review unauthorized emails in your quarantine or spam folder before discarding or accepting them.
Note that if you want to configure DMARC to stop your domain from being Spoofed and keep phishing and BEC attacks at bay, we recommend you select the following criterion while generating your DMARC record:
Set your DMARC policy to p=reject
What does this mean?
When you configure DMARC enforcement at your organization by choosing “reject” DMARC settings, this means that whenever an email message sent from your domain fails DMARC authentication, the malicious email is instantly rejected by the receiving email server, instead of being delivered to your email receiver’s inbox.
3. How to Turn Off DMARC?
It’s important to bear in mind that turning off email authentication for your domains is not recommended or encouraged as it leaves your domains vulnerable to a wide range of cyber-attacks and provides open access to cybercriminals to impersonate your domain. Having considered that, if you still want to disable the protocol you can follow the steps given below:
- Access your DNS registrar’s management console
- Navigate to the advanced DNS editor to edit your DNS settings
- Locate the domain for which you want to disable DMARC
- Delete the DMARC TXT record
- Save changes and wait for some time for the changes to reflect
You can alternatively contact your domain registrar to help you delete the record in case you don’t have access to the console.
Deleting the DNS entry for DMARC will automatically disable the protocol for the particular domain. However, if you have multiple domains with DMARC enabled, you need to manually delete DNS entries for the said domains to disable them for your organization.
Setup DMARC Easily with PowerDMARC
When you create an account on PowerDMARC, we handle protocol implementation and setup for you. We also manage and monitor the health of your domain and emails, parse your aggregate reports, and organize your authentication results on a dedicated dashboard.
If you don’t want to go through the hassle of a manual setup, you can automate the process by taking a free 15-day trial with us. To enjoy the benefits of email authentication, and set up DMARC in a way that would effectively protect your domain, sign up with today!
- How to Set Up DMARC? DMARC Setting and Configuring Guide - December 26, 2024
- Email Phishing and DMARC Statistics - November 22, 2024
- DMARC Compliance and Requirements for 2025 - November 21, 2024