Posts

Before we get to “how to setup DMARC?” we should take a step back and understand the concept of DMARC and how it has emerged as the most trending solution in the world of information and email security in the past few years. Organizations can be considered as huge email exchanging bodies with major influx in email flow across their client-base, and among  their business partners and employees.

However, while running your email marketing campaigns, it is difficult to monitor whether all the emails being sent from your domain are legitimate. Every 14 seconds, an organizational domain is spoofed by an attacker to send out phishing emails to receivers who trust them. This is why email authentication is a mandatory addition to your security.

Why is DMARC Needed in the Current Situation?

The FBI’s Internet Crime Complaint Center of 2020 (FBI IC3 Report 2020) reported that 28,500 complaints were received in the US pertaining to email-based attacks. The FBI investigated e-mail scam attacks describing the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which strived to provide assistance to small businesses during the pandemic. These attacks specifically targeted unemployment insurance, Paycheck Protection Program (PPP) loans, and Small Business Economic Injury Disaster Loans.

Did You Know?

  • 75% of organizational domains from all around the world were spoofed in 2020 to send phishing emails to victims
  • 74% of those phishing campaigns were successful
  • The frequency of BEC has increased by 15% since last year
  • IBM reported that one in every 5 companies in the last year has experienced data breaches caused by malicious emails

Check your domain right now to see how protected you are against email fraud!

How to Setup DMARC Manually?

In order to learn how to setup DMARC, you need to start by creating a DMARC record. As complicated as it may sound, the process is comparatively much simpler! DMARC is a DNS TXT (text) record that can be published in your DNS to configure the protocol for your domain.

DMARC record example:

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; fo=0;

Note: While beginning your email authentication journey, you can keep your DMARC policy (p) at none instead of reject, to monitor your email flow and resolve issues before shifting to a strict policy.

Learn how to publish DMARC record

How to Setup DMARC Easily with PowerDMARC

With PowerDMARC, you don’t need to understand the mechanisms in depth to manually create your DMARC record, as we do it automatically on our platform. All you need to do is use our free DMARC record generator tool and fill in your desired criteria. Click on Generate Record and instantly create an error-free DMARC record to publish in your DNS:

After creating your record, simply open your DNS management console, navigate to your desired domain and paste the TXT record. Save changes to the process and you are done!

How to Leverage DMARC to Prevent Domain Spoofing

Note that if you are configuring DMARC to stop your domain from being Spoofed and keep phishing and BEC attacks at bay, we recommend you the select the following criterion while generating your DMARC record with our DMARC record generator tool:

Set your DMARC policy to p=reject

When you are opting for DMARC enforcement at your organization by choosing a reject policy, this means that whenever an email sent from your domain fails DMARC authentication checks and fails DMARC, the malicious email would be instantly rejected by the receiving MTA, instead of being delivered to your receiver’s inbox.

Another factor that you would want to consider is gaining visibility on your email flow and monitoring emails passing and failing authentication. DMARC reporting ensures that you never miss a malicious activity on your domain and you stay informed at all times. To enjoy the benefits of email authentication, and setup DMARC in a way that would effectively protect your domain, sign up with DMARC analyzer today!

Learn how to Publish a DMARC record

Before we proceed towards publishing a DMARC record, it is important to understand what is a DMARC record? A DMARC record is nothing but a DNS TXT record that can be published in your domain’s DNS (Domain Naming System) so as to configure Domain-Based Message Authentication, Reporting, and Conformance or DMARC for your domain. By configuring DMARC for your domain you as the domain owner now have the ability to specify to receiving servers how they should respond to emails that are sent from unauthorized or illegitimate sources.

Instructions for Generating Your DMARC Record

The process for generating your DMARC DNS Record is extremely simple if you use our free DMARC record generator tool for this purpose. All you need to do is fill up the following criteria:

  • Choose your DMARC policy mode(if you are just starting out with email authentication, we recommend a policy of p=none for you to begin with so you can monitor your email flow)
  • Choose the DMARC policy mode for your subdomains ( we recommend you to only activate this criteria if you wish to opt for a different policy for your subdomains, else, by default it takes up the same policy as your main domain)
  • Type in your desired email addresses wherein you want your DMARC RUA (aggregate) and RUF (Forensic) reports to be delivered to
  • Choose your DKIM alignment mode (for strict alignment the DKIM signature in the email header has to match exactly with the domain found in the from header. For relaxed alignment the two domains must share the same organizational domain only)
  • Choose your SPF alignment mode (for strict alignment the domain in the Return-path header has to match exactly with the domain found in the from header. For relaxed alignment the two domains must share the same organizational domain only)
  • Choose your forensic options (this represents under which circumstances you want to receive your forensic reports)

A typical error-free DMARC record looks something like this:

v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

The generated record is now to be published in your domain’s DNS on the subdomain: _dmarc.YOURDOMAIN.com

How to Publish Your DMARC Record? 

In order to publish your generated DMARC record, you will need to log in to your DNS console and navigate to the specific domain for which you want to configure DMARC.

After navigating to the domain in your DNS management console, you will need to specify the hostname and the resource type. Since DMARC exists in your domain as a DNS TXT record, the resource type for it is TXT, and the hostname to be specified in this case is : _dmarc 

Finally, you need to add the value of your DMARC record (the record you generated previously): v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Save changes to the whole process and you have successfully configured DMARC for your domain!

What Should be My Next Steps?

After you are done publishing your DMARC record your next step should be to focus on protecting your domain from scammers and impersonators. That is your main agenda anyway when you are implementing security protocols and email authentication services. Simply publishing a DMARC record with a p=none policy doesn’t offer any protection against domain spoofing attacks and email fraud. For that you need to shift to DMARC enforcement.

What is DMARC Enforcement?

You can achieve DMARC enforcement if you implement a DMARC policy mode of p=reject or p=quarantine. For maximum protection from domain spoofing attacks and BEC, we recommend a policy mode of reject.  However, the process for achieving DMARC enforcement isn’t as simple as changing your policy mode from monitoring to enforcement. To gain immunity from impersonation attacks all while making sure that your email deliverability doesn’t get impacted, what you need to do is:

  • Sign up with PowerDMARC and enable DMARC reporting for your domain
  • Get daily DMARC RUA reports on email authentication results available in an array of viewing options for ease of understanding
  • Get forensic report updates on the dashboard whenever emails fail authentication
  • Stay under the SPF hard limit to ensure your SPF record never gets invalidated

With DMARC aggregate and forensic reports, moving from monitoring to enforcement becomes a cakewalk for domain owners, as you can visually monitor your email flow and track and respond to deliverability issues instantaneously from the PowerDMARC platform. Sign up today for your free DMARC analyzer trial!

As a domain owner you always need to look out for threat actors launching domain spoofing attacks and phishing attacks to use your domain or brand name for carrying out malicious activities. No matter what email exchange solution you use, protecting your domain from spoofing and impersonation is imperative to ensure brand credibility and maintain trust among your esteemed customer-base. This blog will take you through the process of setting up your DMARC record for Office 365 users.

In recent times, a majority of businesses have made a shift towards using effective and robust cloud-based platforms and hosted email exchange solutions such as Office 365. Subsequently, cybercriminals have also upgraded their malicious techniques to conduct email fraud by outmanoeuvring the security solutions that are integrated into the platform. This is why Microsoft has extended support towards email authentication protocols like DMARC across all of its email platforms. But you should know how to correctly implement DMARC for Office 365, in order to fully utilize its benefits.

Why DMARC?

The first question that might arise is that, with anti-spam solutions and email security gateways already integrated into the Office 365 suite to block fake emails, why would you require DMARC for authentication? This is because while these solutions specifically protect against inbound phishing emails sent to your domain, DMARC authentication protocol gives domain owners the power to specify to receiving email servers how to respond to emails sent from your domain that fail authentication checks.

DMARC makes use of two standard authentication practices, namely SPF and DKIM to validate emails for authenticity. With a policy set to enforcement, DMARC can offer a high level of protection against impersonation attacks and direct-domain spoofing.

Do you really need DMARC while using Office 365?

There’s a common misconception among businesses, that having an Office 365 solution ensures safety from spam and phishing attacks. However, in May 2020, a series of phishing attacks on several Middle Eastern insurance firms using Office 365 caused significant data loss and an unprecedented amount of security breach. This is why simply relying on Microsoft’s integrated security solutions and not implementing external efforts for protecting your domain can be a huge mistake!

While Office 365’s integrated security solutions can offer protection against inbound security threats and phishing attempts, you still need to ensure that outbound messages sent from your own domain are authenticated effectively before landing into the inboxes of your customers and partners. This is where DMARC steps in.

Securing Office 365 against Spoofing and Impersonation with DMARC

Security solutions that come with the Office 365 suite act as spam filters that cannot secure your domain from impersonation, highlighting the need for DMARC. DMARC exists as a DNS TXT record in your domain’s DNS. For configuring DMARC for your domain, you need to:

Step 1: Identify valid email sources for your domain
Step 2: Set up SPF for your domain
Step 3: Set up DKIM for your domain
Step 4: Publish a DMARC TXT record in your domain’s DNS

You can use PowerDMARC’s free DMARC record generator to generate a record instantly with the correct syntax to publish in your DNS and configure DMARC for your domain. However, note that only an enforcement policy of reject can effectively help you mitigate impersonation attacks and domain abuse.

But is publishing a DMARC record enough? The answer is no. This takes us to our last and final segment which is DMARC reporting and monitoring.

5 Reasons Why You need PowerDMARC while Using Microsoft Office365

Microsoft Office 365 provides users with a host of cloud-based services and solutions along with integrated anti-spam filters. However despite of the various advantages, these are the drawbacks you might face while using it from a security perspective:

  • No solution for validating outbound messages sent from your domain
  • No reporting mechanism for emails failing authentication checks
  • No visibility into your email ecosystem
  • No dashboard to manage and monitor your inbound and outbound email flow
  • No mechanism to ensure your SPF record is always under 10 lookup limit

DMARC Reporting and Monitoring with PowerDMARC

PowerDMARC seamlessly integrates with Office 365 to empower domain owners with advanced authentication solutions that protects against sophisticated social engineering attacks like BEC and direct-domain spoofing. When you sign up with PowerDMARC you are signing up for a multi-tenant SaaS platform that not only assembles all email authentication best practices (SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI), but also provides an extensive and in-depth dmarc reporting mechanism, that offers complete visibility into your email ecosystem. DMARC reports on the PowerDMARC dashboard are generated in two formats:

  • Aggregate Reports
  • Forensic reports

We have strived to make the authentication experience better for you by solving various industry problems. We ensure encryption of your DMARC forensic reports as well as display aggregate reports in 7 different views for enhanced user-experience and clarity. PowerDMARC helps you monitor email flow and authentication failures, and blacklist malicious IP addresses from all over the world. Our DMARC analyzer tool aids you in configuring DMARC correctly for your domain, and shifting from monitoring to enforcement in no time!