Posts

Learn how to Publish a DMARC record

Before we proceed towards publishing a DMARC record, it is important to understand what is a DMARC record? A DMARC record is nothing but a DNS TXT record that can be published in your domain’s DNS (Domain Naming System) so as to configure Domain-Based Message Authentication, Reporting, and Conformance or DMARC for your domain. By configuring DMARC for your domain you as the domain owner now have the ability to specify to receiving servers how they should respond to emails that are sent from unauthorized or illegitimate sources.

Instructions for Generating Your DMARC Record

The process for generating your DMARC DNS Record is extremely simple if you use our free DMARC record generator tool for this purpose. All you need to do is fill up the following criteria:

  • Choose your DMARC policy mode(if you are just starting out with email authentication, we recommend a policy of p=none for you to begin with so you can monitor your email flow)
  • Choose the DMARC policy mode for your subdomains ( we recommend you to only activate this criteria if you wish to opt for a different policy for your subdomains, else, by default it takes up the same policy as your main domain)
  • Type in your desired email addresses wherein you want your DMARC RUA (aggregate) and RUF (Forensic) reports to be delivered to
  • Choose your DKIM alignment mode (for strict alignment the DKIM signature in the email header has to match exactly with the domain found in the from header. For relaxed alignment the two domains must share the same organizational domain only)
  • Choose your SPF alignment mode (for strict alignment the domain in the Return-path header has to match exactly with the domain found in the from header. For relaxed alignment the two domains must share the same organizational domain only)
  • Choose your forensic options (this represents under which circumstances you want to receive your forensic reports)

A typical error-free DMARC record looks something like this:

v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

The generated record is now to be published in your domain’s DNS on the subdomain: _dmarc.YOURDOMAIN.com

How to Publish Your DMARC Record? 

In order to publish your generated DMARC record, you will need to log in to your DNS console and navigate to the specific domain for which you want to configure DMARC.

After navigating to the domain in your DNS management console, you will need to specify the hostname and the resource type. Since DMARC exists in your domain as a DNS TXT record, the resource type for it is TXT, and the hostname to be specified in this case is : _dmarc 

Finally, you need to add the value of your DMARC record (the record you generated previously): v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Save changes to the whole process and you have successfully configured DMARC for your domain!

What Should be My Next Steps?

After you are done publishing your DMARC record your next step should be to focus on protecting your domain from scammers and impersonators. That is your main agenda anyway when you are implementing security protocols and email authentication services. Simply publishing a DMARC record with a p=none policy doesn’t offer any protection against domain spoofing attacks and email fraud. For that you need to shift to DMARC enforcement.

What is DMARC Enforcement?

You can achieve DMARC enforcement if you implement a DMARC policy mode of p=reject or p=quarantine. For maximum protection from domain spoofing attacks and BEC, we recommend a policy mode of reject.  However, the process for achieving DMARC enforcement isn’t as simple as changing your policy mode from monitoring to enforcement. To gain immunity from impersonation attacks all while making sure that your email deliverability doesn’t get impacted, what you need to do is:

  • Sign up with PowerDMARC and enable DMARC reporting for your domain
  • Get daily DMARC RUA reports on email authentication results available in an array of viewing options for ease of understanding
  • Get forensic report updates on the dashboard whenever emails fail authentication
  • Stay under the SPF hard limit to ensure your SPF record never gets invalidated

With DMARC aggregate and forensic reports, moving from monitoring to enforcement becomes a cakewalk for domain owners, as you can visually monitor your email flow and track and respond to deliverability issues instantaneously from the PowerDMARC platform. Sign up today for your free DMARC analyzer trial!

As a domain owner you always need to look out for threat actors launching domain spoofing attacks and phishing attacks to use your domain or brand name for carrying out malicious activities. No matter what email exchange solution you use, protecting your domain from spoofing and impersonation is imperative to ensure brand credibility and maintain trust among your esteemed customer-base. This blog will take you through the process of setting up your DMARC record for Office 365 users.

In recent times, a majority of businesses have made a shift towards using effective and robust cloud-based platforms and hosted email exchange solutions such as Office 365. Subsequently, cybercriminals have also upgraded their malicious techniques to conduct email fraud by outmanoeuvring the security solutions that are integrated into the platform. This is why Microsoft has extended support towards email authentication protocols like DMARC across all of its email platforms. But you should know how to correctly implement DMARC for Office 365, in order to fully utilize its benefits.

Why DMARC?

The first question that might arise is that, with anti-spam solutions and email security gateways already integrated into the Office 365 suite to block fake emails, why would you require DMARC for authentication? This is because while these solutions specifically protect against inbound phishing emails sent to your domain, DMARC authentication protocol gives domain owners the power to specify to receiving email servers how to respond to emails sent from your domain that fail authentication checks.

DMARC makes use of two standard authentication practices, namely SPF and DKIM to validate emails for authenticity. With a policy set to enforcement, DMARC can offer a high level of protection against impersonation attacks and direct-domain spoofing.

Do you really need DMARC while using Office 365?

There’s a common misconception among businesses, that having an Office 365 solution ensures safety from spam and phishing attacks. However, in May 2020, a series of phishing attacks on several Middle Eastern insurance firms using Office 365 caused significant data loss and an unprecedented amount of security breach. This is why simply relying on Microsoft’s integrated security solutions and not implementing external efforts for protecting your domain can be a huge mistake!

While Office 365’s integrated security solutions can offer protection against inbound security threats and phishing attempts, you still need to ensure that outbound messages sent from your own domain are authenticated effectively before landing into the inboxes of your customers and partners. This is where DMARC steps in.

Securing Office 365 against Spoofing and Impersonation with DMARC

Security solutions that come with the Office 365 suite act as spam filters that cannot secure your domain from impersonation, highlighting the need for DMARC. DMARC exists as a DNS TXT record in your domain’s DNS. For configuring DMARC for your domain, you need to:

Step 1: Identify valid email sources for your domain
Step 2: Set up SPF for your domain
Step 3: Set up DKIM for your domain
Step 4: Publish a DMARC TXT record in your domain’s DNS

You can use PowerDMARC’s free DMARC record generator to generate a record instantly with the correct syntax to publish in your DNS and configure DMARC for your domain. However, note that only an enforcement policy of reject can effectively help you mitigate impersonation attacks and domain abuse.

But is publishing a DMARC record enough? The answer is no. This takes us to our last and final segment which is DMARC reporting and monitoring.

5 Reasons Why You need PowerDMARC while Using Microsoft Office365

Microsoft Office 365 provides users with a host of cloud-based services and solutions along with integrated anti-spam filters. However despite of the various advantages, these are the drawbacks you might face while using it from a security perspective:

  • No solution for validating outbound messages sent from your domain
  • No reporting mechanism for emails failing authentication checks
  • No visibility into your email ecosystem
  • No dashboard to manage and monitor your inbound and outbound email flow
  • No mechanism to ensure your SPF record is always under 10 lookup limit

DMARC Reporting and Monitoring with PowerDMARC

PowerDMARC seamlessly integrates with Office 365 to empower domain owners with advanced authentication solutions that protects against sophisticated social engineering attacks like BEC and direct-domain spoofing. When you sign up with PowerDMARC you are signing up for a multi-tenant SaaS platform that not only assembles all email authentication best practices (SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI), but also provides an extensive and in-depth dmarc reporting mechanism, that offers complete visibility into your email ecosystem. DMARC reports on the PowerDMARC dashboard are generated in two formats:

  • Aggregate Reports
  • Forensic reports

We have strived to make the authentication experience better for you by solving various industry problems. We ensure encryption of your DMARC forensic reports as well as display aggregate reports in 7 different views for enhanced user-experience and clarity. PowerDMARC helps you monitor email flow and authentication failures, and blacklist malicious IP addresses from all over the world. Our DMARC analyzer tool aids you in configuring DMARC correctly for your domain, and shifting from monitoring to enforcement in no time!

 

Business Email Compromise or BEC is a form of email security breach or impersonation attack that affects commercial, government, non-profit organizations, small businesses and startups as well as MNCs and enterprises to extract confidential data that can negatively influence the brand or organization. Spear phishing attacks, invoice scams and spoofing attacks are all examples of BEC.

Cybercriminals are expert schemers who intentionally target specific people within an organization, especially those in authoritarian positions like the CEO or someone similar, or even a trusted customer. The worldwide financial impact due to BEC is huge, especially in the US which has emerged as the prime hub. Read more about the global BEC scam volume. The solution? Switch to DMARC!

What is DMARC?

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an industry-standard for email authentication. This authentication mechanism specifies to receiving servers how to respond to emails failing SPF and DKIM authentication checks. DMARC can minimize the chances of your brand falling prey BEC attacks by a substantial percentage, and help protect your brand’s reputation, confidential information and financial assets.

Note that before publishing a DMARC record, you need to implement SPF and DKIM for your domain since DMARC authentication makes use of these two standard authentication protocols for validating messages sent on behalf of your domain.

You can use our free SPF Record Generator and DKIM Record Generator to generate records to be published in your domain’s DNS.

How to Optimize Your DMARC Record to Protect Against BEC?

In order to protect your domain against Business Email Compromise, as well as enable an extensive reporting mechanism to monitor authentication results and gain complete visibility into your email ecosystem, we recommend you to publish the following DMARC record syntax in your domain’s DNS:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Understanding the tags used while generating a DMARC Record:

v (mandatory)This mechanism specifies the version of the protocol.
p (mandatory)This mechanism specifies the DMARC policy in use. You can set your DMARC policy to:

p=none (DMARC at monitoring only wherein emails failing authentication checks would still land into receivers’ inboxes). p=quarantine (DMARC at enforcement, wherein emails failing authentication checks will be quarantined or lodged into the spam folder).

p=reject (DMARC at maximum enforcement, wherein emails failing authentication checks will be discarded or not delivered at all).

For authentication novices, it is recommended to start out with your policy at monitoring only (p=none) and then slowly shift to enforcement.However, for the purpose of this blog if you want to safeguard your domain against BEC, p=reject is the recommended policy for you to ensure maximum protection.

sp (optional)This tag specifies the subdomains policy which can be set to sp=none/quarantine/reject requesting a policy for all subdomains wherein emails are failing DMARC authentication.

This tag is only useful if you desire to set a different policy for your main domain and subdomains. If not specified the same policy will be levied upon all your subdomains by default.

adkim (optional)This mechanism specifies the DKIM identifier alignment mode which can be set to s (strict) or r (relaxed).

Strict alignment specifies that the d=field in the DKIM signature of the email header must align and match exactly with the domain found in the from header.

However, for Relaxed alignment the two domains must share the same organizational domain only.

aspf (optional) This mechanism specifies the SPF identifier alignment mode which can be set to s (strict) or r (relaxed).

Strict alignment specifies that the domain in the “Return-path” header must align and match exactly with the domain found in the from header.

However, for Relaxed alignment the two domains must share the same organizational domain only.

rua (optional but recommended)This tag specifies the DMARC aggregate reports that are sent to the address specified after the mailto: field, providing insight on emails passing and failing DMARC.
ruf (optional but recommended)This tag specifies the DMARC forensic reports that are to be sent to the address specified after the mailto: field. Forensic reports are message-level reports that provide more detailed information on authentication failures. Since these reports may contain email content, encrypting them is the best practice.
pct (optional)This tag specifies the percentage of emails to which the DMARC policy is applicable. The default value is set to 100.
fo (optional but recommended)The forensic options for your DMARC record can be set to:

->DKIM and SPF don’t pass or align (0)

->DKIM or SPF don’t pass or align (1)

->DKIM doesn’t pass or align (d)

->SPF doesn’t pass or align (s)

The recommended mode is fo=1 specifying that forensic reports are to be generated and sent to your domain whenever emails fail either DKIM or SPF authentication checks.

You can generate your DMARC record with PowerDMARC’s free DMARC Record Generator wherein you can select the fields according to the level of enforcement you desire.

Note that only an enforcement policy of reject can minimize BEC, and protect your domain from spoofing and phishing attacks.

While DMARC can be an effective standard to protect your business against BEC, implementing DMARC correctly requires effort and resources. Whether you are an authentication novice or an authentication aficionado, as pioneers in email authentication, PowerDMARC is a single email authentication SaaS platform that combines all email authentication best practices such as DMARC, SPF, DKIM, BIMI, MTA-STS and TLS-RPT, under the same roof for you. We help you:

  • Shift from monitoring to enforcement in no time to keep BEC at bay
  • Our aggregate reports are generated in the form of simplified charts and tables to help you understand them easily without having to read complex XML files
  • We encrypt your forensic reports to safeguard the privacy of your information
  • View your authentication results in 7 different formats (per result, per sending source, per organization, per host, detailed stats, geolocation reports, per country) on our user-friendly dashboard for optimal user-experience
  • Gain 100% DMARC compliance by aligning your emails against both SPF and DKIM so that emails failing either of the authentication checkpoints do not make it through to your receivers’ inboxes

How Does DMARC Protect Against BEC?

As soon as you set your DMARC policy to maximum enforcement (p=reject), DMARC protects your brand from email fraud by reducing the chance of impersonation attacks and domain abuse. All inbound messages are validated against SPF and DKIM email authentication checks to ensure that they arise from valid sources.

SPF is present in your DNS as a TXT record, displaying all the valid sources that are authorized to send emails from your domain. The receiver’s mail server validates the email against your SPF record to authenticate it. DKIM assigns a cryptographic signature, created using a private key, to validate emails in the receiving server, wherein the receiver can retrieve the public key from the sender’s DNS to authenticate the messages.

With your policy at reject, emails are not delivered to your recipient’s mailbox at all when the authentication checks fail, indicating that your brand is being impersonated. This ultimately keeps BEC like spoofing and phishing attacks at bay.

PowerDMARC’s Basic Plan for Small Businesses

Our basic plan starts from only 8 USD per month, so small businesses and startups trying to adopt secure protocols like DMARC can easily avail of it. The advantages that you will have at your disposal with this plan are as follows:

Sign up with PowerDMARC today and protect your brand’s domain by minimizing the chances of Business Email Compromise and email fraud!

If you are here reading this blog, chances are you have come across either of the three common prompts:

  • No DMARC record 
  • No DMARC record found 
  • DMARC record is missing
  • DMARC record not found 
  • No DMARC record published 
  • DMARC policy not enabled
  • Unable to find DMARC record

Either way, this only implies that your domain is not configured with the most highly acclaimed and popularly used email authentication standard- Domain-based Message Authentication, Reporting, and Conformance or DMARC. Let’s take a look at what it is:

What is DMARC and why do you need email authentication for your domain?

In order to learn about how to fix the “No DMARC record found” issue, let’s learn what DMARC is all about. DMARC is the most widely used email authentication standard in the current time, which is designed to empower domain owners with the ability to specify to receiving servers how they should handle messages that fail authentication checks. This in turn helps in protecting their domain from unauthorized access and email spoofing attacks. DMARC uses popular standard authentication protocols to validate inbound and outbound messages from your domain.

Protect Your Business from Impersonation Attacks and Spoofing with DMARC

Did you know that email is the easiest way cybercriminals can abuse your brand name?

By using your domain and impersonating your brand, hackers can send malicious phishing emails to your own employees and customers. Since SMTP is not retrofitted with secure protocols against fake “From” fields, an attacker can forge email headers to send fraudulent emails from your domain. Not only will this compromise security in your organization, but it will seriously harm your brand reputation.

Email spoofing can lead to BEC (Business Email Compromise), loss of valuable company information, unauthorized access to confidential data, financial loss and reflect poorly on your brand’s image. Even after implementing SPF and DKIM for your domain, you cannot prevent cybercriminals from impersonating your domain. This is why you need an email authentication protocol like DMARC, which authenticates emails using both the mentioned protocols and specifies to receiving servers of your clients, employees, and partners how to respond if an email is from an unauthorized source and fails authentication checks. This gives you maximum protection against exact-domain attacks and helps you be in complete control of your company’s domain.

Furthermore, with the help of an effective email authentication standard like DMARC, you can improve your email delivery rate, reach, and trust.

 


Adding The Missing DMARC Record for Your Domain

It can be annoying and confusing to come across prompts saying “Hostname returned a missing or invalid DMARC record” when checking for a domain’s DMARC record while using online tools.

For fixing the “No DMARC record found” issue for your domain all you need to do is add a DMARC record for your domain. Adding a DMARC record is essentially publishing a text (TXT) record in your domain’s DNS, in the _dmarc.example.com subdomain in compliance with DMARC specifications. A DMARC TXT Record in your DNS may look something like this:

v=DMARC1; p=none; rua=mailto:[email protected]

And Voila! You have successfully resolved the “No DMARC record found” prompt as your domain is now configured with DMARC authentication and contains a DMARC record.

But is this enough? The answer is no. Simply adding a DMARC TXT record to your DNS may resolve the missing DMARC prompt, but it is simply not enough to mitigate impersonation attacks and spoofing.

Implement DMARC the Right Way with PowerDMARC

PowerDMARC helps your organization achieve 100% DMARC Compliance by aligning authentication standards, and helping you shift from monitoring to enforcement in no time, resolving the “no DMARC record found” prompt in no time! Furthermore, our interactive and user-friendly dashboard automatically generates:

  • Aggregate Reports (RUA) for all your registered domains, which are simplified and converted into readable tables and charts from complex XML file format for your understanding.
  • Forensic reports (RUF) with encryption

In order to mitigate “no DMARC record found”, all you need to do is:

  • Generate your free DMARC record with PowerDMARC and select your desired DMARC policy with ease.

The DMARC policy can be set to :

  • p=none (DMARC is set at monitoring only, wherein emails failing authentication will still be delivered to your recipient’s inboxes, however, you will be getting aggregate reports informing you about the authentication results)
  • p=quarantine (DMARC is set at enforcement level, wherein emails failing authentication will be delivered to the spam box instead of your recipient’s inbox)
  • p=reject (DMARC is set at maximum enforcement level, wherein emails failing authentication would either be deleted or not delivered at all)

Why PowerDMARC?

PowerDMARC is a single email authentication SaaS platform that combines all email authentication best practices such as DMARC, SPF, DKIM, BIMI, MTA-STS and TLS-RPT, under the same roof. We provide optimal visibility into your email ecosystem with the help of our detailed aggregate reports and help you automatically update changes to your dashboard without you having to update your DNS manually.

We tailor solutions to your domain and handle everything for you completely in the background, all the way from configuration to set up to monitoring. We help you implement DMARC correctly to help keep impersonation attacks at bay!

So sign up with PowerDMARC to configure DMARC for your domain correctly today!