Posts

How to Stop My Emails from Going to the Junk Folder?

A very common question asked by domain owners is “why are my emails landing up in the junk folder instead of the recipients’ inboxes?”. Now it is important to note that the underlying reason behind emails going to the junk folder is never unidirectional, but can be due to various reasons starting from simple inducements like a poorly written email to more complex causes like in case your domain name has been previously used for spam. In either of the cases, your emails landing in the spam folder drastically affects your email deliverability rate and domain reputation. 

If you want to quickly resolve this obstacle all while ensuring that your emails always reach their designated destinations in future, you have come to the right place. Without beating around the bush much, let’s get right into the solution for stopping your emails from getting flagged as spam: opt for email authentication solutions from a reliable service provider today!

How Does Email Authentication Improve Email Deliverability?

Remember that it is all about boosting your domain’s reputation and ensuring that your domain is not used to carry out malicious activities like spoofing or phishing attacks and BEC. This is exactly what an email authentication protocol like DMARC does. Domain-based Message Authentication, Reporting and Conformance (DMARC) is an industry-recommended email authentication standard that makes use of SPF and DKIM to authenticate email messages sent from your domain. DMARC exists in your domain’s DNS as a DNS TXT record specifying to receiving servers how they should treat emails that fail authentication (probable spoofing/phishing emails sent by threat actors using your domain name).

However, it isn’t as easy and it appears to be. Simply publishing a DMARC record would not protect you against email fraud, rather it might worsen the situation in case you have incorrectly configured your authentication protocols. For implementing DMARC correctly you need to set up SPF and DKIM for your domain with the correct syntax and policy mode. Furthermore, only a DMARC policy level of enforcement (p=reject/quarantine) can adequately protect your domain against BEC and spoofing.

Keeping all of this in mind, eventually with DMARC you can observe a more than 10% increase in your email deliverability rate and a noticeable decrease in the number of emails landing in the spam folder.

How Can I Properly Configure DMARC to Stop Being Marked as Spam?

You can follow the steps given below to setup DMARC correctly for your domain:

  • Make a note of all authorized sending sources that can send emails on behalf of your domain.
  • Setup SPF for your domain completely free of cost, with PowerDMARC’s  free SPF record generator.
  • Configure DKIM for your domain with PowerDMARC’s free DKIM record generator.
  • Configure DMARC for your domain with PowerDMARC’s free DMARC record generator.
  • Lookup and validate your records.
  • Monitor your authentication results and email flow with automatically generated and easy to comprehend DMARC aggregate and forensic reports using our DMARC analyzer tool, so that you can shift from a none policy to DMARC enforcement in no time!

You can find all the record generators in the PowerDMARC toolbox

Additional Recommendations on Stopping Emails from Going to the Junk Folder

Stay under the SPF hard limit

You may not be aware of this but SPF authentication comes with a DNS lookup limit of 10. Exceeding this limit invalidates your SPF record causing SPF to break and even legitimate emails to fail authentication checks. In such cases an SPF permerror result is returned if you have enabled DMARC monitoring for your domain. Hence, staying under the SPF 10 DNS Lookup Limit is imperative to ensure your emails reach your recipients’ inboxes.

Report abusive IP addresses

Blacklisting abusive IP addresses that are using your domain name to conduct fraud can be an important step towards ensuring that similar incidents do not take place in the future. Our DMARC analyzer can help your report malicious addresses from all around the world, in real-time, to make sure they can no longer use your domain for fraudulent activities again!

Gain 100% DMARC compliance

Align emails sent via your domain against both SPF and DKIM authentication standards to gain 100% DMARC compliance. This would considerably improve your senders’ reputation over time and minimize the chances of your emails being flagged as spam.

Sign up with PowerDMARC today to get your free DMARC and take the first step towards preventing your emails from going to the junk folder!

/by

How to fix “No SPF record found” ?

If you are on this page reading this blog, chances are that you have come across either one of the following prompts:

  • No SPF record found
  • SPF record is missing
  • No SPF record
  • SPF record not found
  • No SPF record published
  • Unable to find SPF record

The prompt simply signifies that your domain is not configured with SPF email authentication standard. An SPF record is a DNS TXT record that is published in your domain’s DNS to authenticate messages by checking them against the authorized IP addresses that are allowed to send emails on behalf of your domain, included in your SPF record. So naturally if your domain is not authenticated with SPF protocol you might come across a “No SPF record found” message.

What is Sender Policy Framework (SPF)?

SPF email authentication standard is a mechanism used to prevent spammers from forging emails. It uses DNS records to verify that the sending server is allowed to send emails from the domain name.  SPF, which stands for Sender Policy Framework, allows you to identify permitted senders of emails on your domain.

SPF is a “path-based” authentication system, implying that it is related to the path that the email takes from the original sending server to the receiving server. SPF not only allows organizations to authorize IP addresses to use its domain names when sending out emails, but also provides a way that a receiving email server can check that authorization.

Do I Need to Configure SPF?

You’ve probably been told that you need SPF (Sender Policy Framework) email authentication. But does a business really need it? And if so, are there any other benefits? That question is usually understood when the enterprise becomes a large e-mail exchanger for their organization. With SPF, you can track email behavior to detect fraudulent messages and protect your business from spam-related issues, spoofing and phishing attacks. SPF, along with DKIM and DMARC, helps you achieve maximum deliverability and brand protection by verifying the identity of the senders.

How Does SPF Function?

  • SPF records are specially formatted Domain Name System (DNS) records published by domain administrators that define which mail servers are authorized to send mail on behalf of that domain.
  • With SPF configured for your domain, whenever an email is sent from your domain the recipient’s mail server looks up the specifications for the return-path domain in the
  • DNS. It subsequently tried to match the IP address of the sender to the authorized addresses defined in your SPF record.
  • According to the SPF policy specifications the receiving server then decides whether to deliver, reject or flag the email in case it fails authentication.

Breaking Down the Syntax of an SPF Record

Let’ take the example of an SPF record for a dummy domain with the correct syntax:

v=spf1  ip4:29.337.148 include:domain.com -all

 

Stopping the “No SPF Record Found” Message

If you want to stop getting the annoying “No SPF record found” prompt all you need to do is configure SPF for your domain by publishing a DNS TXT record. You can use PowerDMARC’S free SPF record generator to create an instant record with the correct syntax, to publish in your DNS.

All you need to do is:

  • Choose if you want to allow servers listed as MX to send emails for your domain
  • Choose if you want to allow current IP address of the domain to send email for this domain
  • Fill in the IP addresses authorized to send emails from your domain
  • Add any other server hostnames or domains that may deliver or relay mail for your domain
  • Choose your SPF policy mode or the level of strictness of the receiving server from Fail (non-compliant emails will be rejected), Soft-fail (Non-compliant emails will be accepted but marked), and Neutral (Mails will probably be accepted)
  • Click on Generate SPF Record to instantly create your record

In case you already have SPF configured for your domain, you can also use our free SPF record checker to lookup and validate your SPF record and detect issues.

Is Publishing an SPF Record Enough?

The answer is no. SPF alone cannot prevent your brand from being impersonated. For optimal protection against direct-domain spoofing, phishing attacks, and BEC, you need to configure DKIM and DMARC for your domain.

Furthermore, SPF has a limit of 10 DNS lookups. If you exceed this limit your SPF will break and authentication will fail for even legitimate emails.This is why you need a dynamic SPF flattener that will help your stay under the 10 DNS lookup limit, as well as keep you updated on changes made by your email exchange providers.

Hopefully this blog helped you resolve your problem and you never have to worry about the “No SPF record found” message bothering you again. Sign up for a free email authentication trial to improve your email deliverability and email security today!

 

/by

How To Fight Business Email Compromise (BEC) with Email Authentication?

An ever-evolving and rampant form of cybercrime that targets emails as the potential medium to conduct fraud, is known as Business Email Compromise. Targeting commercial, government as well as non-profit organizations, BEC can lead to huge amounts of data loss, security breach and compromise financial assets. It is a common misconception that cybercriminals usually lay their focus on MNCs and enterprise-level organizations. SMEs these days are just as much a target to email fraud, as the larger industry players. 

How Can BEC Affect Organizations?

Examples of BEC include sophisticated social engineering attacks like phishing, CEO fraud, fake invoices, and email spoofing, to name a few.  It can also be termed as an impersonation attack wherein an attacker aims to defraud a company, by posing to be people in authoritarian positions. Impersonating people like the CFO or CEO, a business partner or anyone you will blindly place your trust on, is what drives the success of these attacks.

February of 2021 captured the activities of Russian cyber gang Cosmic Lynx, as they took a sophisticated approach towards BEC. The group had already been linked to conducting over 200 BEC campaigns since July 2019, targeting over 46 countries worldwide, focusing on giant MNCs that have a global presence. With extremely well-written phishing emails, they are making it impossible for people to differentiate between real and fake messages.

Remote-working has made video conferencing applications indispensable entities, post-pandemic. Cybercriminals are taking advantage of this situation by sending fraudulent emails that impersonate a notification from the video conferencing platform, Zoom. This is aimed at stealing login credentials to conduct massive company data breaches.

It is clear that the relevance of BEC is rapidly surfacing and increasing in recent times, with threat actors coming up with more sophisticated and innovative ways to get away with fraud. BEC affects more than 70% organizations worldwide and leads to the loss of billions of dollars every year. This is why industry experts are coming up with email authentication protocols like DMARC, to offer a high level of protection against impersonation.

What is Email Authentication?

Email authentication can be referred to as a bevy of techniques deployed to provide verifiable information about the origin of emails. This is done by authenticating the domain ownership of the mail transfer agent(s) involved in the message transfer.

Simple Mail Transfer Protocol (SMTP), which is the industry standard for email transfer has no such in-built feature for message authentication. This is why exploiting the lack of security becomes exceedingly easy for cybercriminals to launch email phishing and domain spoofing attacks. This highlights the need for effective email authentication protocols like DMARC, that actually delivers its claims!

Steps to Prevent BEC with DMARC

 

Step 1: Implementation 

The first step to fighting BEC is actually configuring DMARC for your domain. Domain-based Message Authentication, Reporting and Conformance (DMARC) makes use of SPF and DKIM authentication standards to validate emails sent from your domain. It specifies to receiving servers how to respond to emails that fail either/both of these authentication checks, giving the domain owner control over the receiver’s response. Hence for Implementing DMARC you would need to:

  • Identify all valid email sources authorized for your domain
  • Publish SPF record in your DNS to configure SPF for your domain
  • Publish DKIM record in your DNS to configure DKIM for your domain
  • Publish DMARC record in your DNS to configure DMARC for your domain

In order to avoid complexities you can use PowerDMARC’s free tools ( free SPF record generator, free DKIM record generator, free DMARC record generator) to generate records with the correct syntax, instantly, to publish in your domain’s DNS.

Step 2: Enforcement 

Your DMARC policy can be set to:

  • p=none (DMARC at monitoring only; messages failing authentication would still be delivered)
  • p=quarantine (DMARC at enforcement; messages failing authentication would be quarantined)
  • p=reject (DMARC at maximum enforcement; messages failing authentication would not be delivered at all)

We would recommend you to start using DMARC with a policy enabling monitoring only, so that you can keep a tab on the email flow and delivery issues. However, such a policy wouldn’t provide any protection against BEC. This is why you would eventually need to shift to DMARC enforcement. PowerDMARC helps you seamlessly shift from monitoring to enforcement in no time with a policy of p=reject which will help specify to receiving servers that an email sent from a malicious source using your domain would not be delivered to your recipient’s inbox at all.

Step 3: Monitoring and Reporting 

You have set your DMARC policy at enforcement and have successfully minimized BEC, but is that enough? The answer is no. You still need an extensive and effective reporting mechanism to monitor email flow and respond to any delivery issues. PowerDMARC’s multi-tenant SaaS platform helps you:

  • stay in control of your domain
  • visually monitor authentication results for every email, user and domain registered for you
  • take down abusive IP addresses that try impersonating your brand

DMARC reports are available on the PowerDMARC dashboard in two major formats:

  • DMARC aggregate reports (available in 7 different views)
  • DMARC forensic reports (with encryption for enhanced privacy)

A culmination of DMARC implementation, enforcement and reporting helps you drastically reduce the chances of falling prey to BEC scams and impersonation. 

With Anti-Spam Filters Do I Still Need DMARC?

Yes! DMARC works very differently from your ordinary anti-spam filters and email security gateways. While these solutions usually come integrated with your cloud-based email exchanger services, they can only offer protection against inbound phishing attempts. Messages sent from your domain, still remain under the threat of impersonation. This is where DMARC steps in.

Additional Tips for Enhanced Email Security

 

Always Stay under the 10 DNS Lookup Limit 

Exceeding the SPF 10 lookup limit can completely invalidate your SPF record and cause even legitimate emails to fail authentication. In such cases if you have your DMARC set to reject, authentic emails will fail to get delivered. PowerSPF is your automatic and dynamic SPF record flattener that mitigates SPF permerror by helping you stay under the SPF hard limit. It auto updates netblocks and scans for changes made by your email service providers to their IP addresses constantly, without any intervention from your side.

Ensure TLS Encryption of Emails in Transit

While DMARC can protect you from social engineering attacks and BEC, you still need to gear up against pervasive monitoring attacks like Man-in-the-middle (MITM). This can be done by ensuring that a connection secured over TLS is negotiated between SMTP servers every time an email is sent to your domain. PowerDMARC’s hosted MTA-STS makes TLS encryption mandatory in SMTP and comes with an easy implementation procedure.

Get Reports on Issues in Email Delivery

You can also enable SMTP TLS reporting to get diagnostic reports on email delivery issues after configuring MTA-STS for your domain. TLS-RPT helps you gain visibility  into your email ecosystem, and better respond to issues in negotiating a secured connection leading to delivery failures. TLS reports are available in two views (aggregate reports per result and per sending source) on the PowerDMARC dashboard.

Amplify Your Brand Recall with BIMI 

With BIMI (Brand Indicators for Message Identification) you can take your brand recall to a whole new level by helping your recipients visually identify you in their inboxes. BIMI works by attaching your unique brand logo to every email you send out from your domain. PowerDMARC makes BIMI implementation easy with just 3 simple steps on the user’s part.

PowerDMARC is your one-stop destination for an array of email authentication protocols including DMARC, SPF, DKIM, BIMI, MTA-STS, and TLS-RPT. Sign up today to get your free DMARC Analyzer trial!

/by

What are MTA-STS and TLS-RPT and Why Do You Need Them?

Encryption is optional in SMTP which implies that emails can be sent in plaintext. Mail Transfer Agent-Strict Transport Security (MTA-STS) is a relatively new standard that enables mail service providers to enforce Transport Layer Security (TLS)  to secure SMTP connections, and to specify whether the sending SMTP servers should refuse to deliver emails to MX hosts that do not support TLS. It has been proven to successfully mitigate TLS downgrade attacks and Man-In-The-Middle (MITM) attacks.

Enabling MTA-STS is simply not enough as you require an effective reporting mechanism to detect failures in establishing an encrypted channel. SMTP TLS Reporting (TLS-RPT) is a standard that enables the reporting of issues in TLS connectivity that is experienced by applications that send emails and detect misconfigurations. It enables the reporting of email delivery issues that take place when an email isn’t encrypted with TLS.

Easy MTA-STS Implementation with PowerMTA-STS

Implementing MTA-STS is an arduous task that involves a lot of complexities during adoption. From generating policy files and records to maintaining the web server and hosting certificates, it is a long drawn process. PowerDMARC has got you covered! Our hosted MTA-STS services provide the following benefits:

  • Publish your DNS CNAME records with just a few clicks
  • We take the responsibility of maintaining the policy web server and hosting the certificates
  • You can make MTA-STS policy changes instantly and with ease, through the PowerDMARC dashboard, without having to manually make changes to the DNS
  • PowerDMARC’s hosted MTA-STS services are RFC compliant and support the latest TLS standards
  • From generating certificates and MTA-STS policy files to policy enforcement, we help you evade the tremendous complexities involved in adopting the protocol

Why Do Emails Require Encryption in Transit?

Since security had to be retrofitted in SMTP to make sure it was backward compatible by adding the STARTTLS command to initiate TLS encryption, in case the client doesn’t support TLS the communication falls back to cleartext. This way emails in transit can fall prey to pervasive monitoring attacks like MITM, wherein cybercriminals can eavesdrop on your messages, and alter and tamper with information by replacing or deleting the encryption command (STARTTLS), making the communication roll back to plaintext.

This is where MTA-STS comes to the rescue, making TLS encryption mandatory in SMTP. This helps in reducing the threats of MITM, DNS Spoofing and Downgrade attacks.

After successfully configuring MTA-STS for your domain, what you need is an efficient reporting mechanism that would help you detect and respond to issues in email delivery due to problems in TLS encryption at a faster pace. PowerTLS-RPT does exactly that for you!

Receive Reports on Email Delivery Issues with PowerTLS-RPT

TLS-RPT is fully integrated into the PowerDMARC security suite so that as soon as you sign up with PowerDMARC and enable SMTP TLS Reporting for your domain, we take the pain of converting the complicated JSON files containing your reports of email delivery issues, into simple, readable documents that you can go through and understand with ease!

On the PowerDMARC platform, TLS-RPT aggregate reports are generated in two formats for ease of use, better insight, and enhanced user-experience:
  • Aggregate Reports Per Result
  • Aggregate Reports Per Sending Source

Moreover, PowerDMARC’s platform automatically detects and subsequently conveys the issues you are facing, so that you can promptly address and resolve them in no time.

Why Do You Need SMTP TLS Reporting?

In case of failures in email delivery due to issues in TLS encryption, with TLS-RPT you will get notified. TLS-RPT provides enhanced visibility on all your email channels so that you gain better insight on all that is going on in your domain, including messages that are failing to be delivered. Furthermore, it provides in-depth diagnostic reports that enable you to identify and get to the root of the email delivery issue and fix it without any delay.

For getting hands-on knowledge on MTA-STS and TLS-RPT implementation and adoption, view our detailed guide today!

Configure DMARC for your domain with PowerDMARC, and deploy email authentication best practices like SPF, DKIM, BIMI, MTA-STS and TLS-RPT, all under one roof. Sign up for a free DMARC Trial today!

/by

How Can Email Authentication Help You Improve Email Deliverability? 

The rate at which emails make it through to the recipients’ inboxes is called the email deliverability rate. This rate can get slowed down or delayed or even lead to failure in delivery when emails end up in the spam folder or get blocked out by receiving servers. It is essentially an important parameter to measure the success of your emails reaching your desired receivers’ inboxes without being marked as spam. Email authentication is definitely one of the options authentication novices out there can resort to, to see a substantial improvement in email deliverability over time.

In this blog we are here to talk to you about how you can improve your email deliverability rate with ease and also discuss the best industry practices to ensure smooth flow of messages across all your email channels!

What is Email Authentication?

Email authentication is the technique used for validating your email for authenticity against all authorized sources that are allowed to send emails from your domain. It further helps in validating the domain ownership of any Mail Transfer Agent (MTA) involved in transferring or modifying an email.

Why Do You Need Email Authentication?

Simple Mail Transfer Protocol (SMTP) which is the internet standard for email transfer, contains no feature to authenticate inbound and outbound emails, allowing cybercriminals to exploit the lack of secure protocols in SMTP. This can be used by threat actors to perpetrate email phishing scams, BEC and domain spoofing attacks wherein they can impersonate your brand and harm its reputation and credibility. Email authentication enhances the security of your domain against impersonation and fraud, indicating to receiving servers that your emails are DMARC compliant and arise from valid and authentic sources. It also serves as a checkpoint for unauthorized and malicious IP addresses sending emails from your domain.

To protect your brand image, minimize cyber threats, BEC and ensure improved deliverability rate, email authentication is a must!

Email Authentication Best Practices

Sender Policy Framework (SPF)

SPF is present in your DNS as a TXT record, displaying all the valid sources that are authorized to send emails from your domain. Every email that leaves your domain has an IP address that identifies your server and the email service provider used by your domain that is enlisted within your DNS as an SPF record. The receiver’s mail server validates the email against your SPF record to authenticate it and accordingly marks the email as SPF pass or fail.

Note that SPF has a 10 DNS lookup limit, exceeding which can return a PermError result and lead to SPF failure. This can be mitigated by using PowerSPF to stay under the lookup limit at all times!

DomainKeys Identified Mail (DKIM)

DKIM is a standard email authentication protocol that assigns a cryptographic signature, created using a private key, to validate emails in the receiving server, wherein the receiver can retrieve the public key from the sender’s DNS to authenticate the messages. Much like SPF, the DKIM public key also exists as a TXT record in the DNS of the domain owner.

Domain-based Message Authentication, Reporting and Conformance (DMARC)

Simply implementing SPF and DKIM is just not enough since there is no way for domain owners to control how receiving servers respond to emails that fail authentication checks.

DMARC is the most widely used email authentication standard in the current time, which is designed to empower domain owners with the ability to specify to receiving servers how they should handle messages that fail SPF or DKIM or both. This in turn helps in protecting their domain from unauthorized access and email spoofing attacks.

How Can DMARC Improve Email Deliverability?

  • When publishing a DMARC record in your domain’s DNS, the domain owner requests receiving servers supporting DMARC, to send feedback on the emails which they receive for that domain, automatically indicating to receiving servers that your domain extends support towards secure protocols and authentication standards for emails, like DMARC, SPF and DKIM.
  • DMARC aggregate reports help you gain increased visibility into your email ecosystem, enabling you to view your email authentication results, detect authentication failures and mitigate delivery issues.
  • By enforcing your DMARC policy you can block malicious emails impersonating your brand from landing into the inboxes of your receivers.

Additional Tips on Improving Email Deliverability:

  • Enable visual identification of your brand in your receivers’ inboxes with BIMI
  • Ensure TLS encryption of emails in transit with MTA-STS
  • Detect and respond to email delivery issues by enabling extensive reporting mechanism with TLS-RPT

PowerDMARC is a single email authentication SaaS platform that combines all email authentication best practices such as DMARC, SPF, DKIM, BIMI, MTA-STS and TLS-RPT, under the same roof. Sign up today with PowerDMARC and witness a considerable improvement in email deliverability with our enhanced email security and authentication suite.

/by

How to Protect Small Businesses from BEC with Email Authentication?

Business Email Compromise or BEC is a form of email security breach or impersonation attack that affects commercial, government, non-profit organizations, small businesses and startups as well as MNCs and enterprises to extract confidential data that can negatively influence the brand or organization. Spear phishing attacks, invoice scams and spoofing attacks are all examples of BEC.

Cybercriminals are expert schemers who intentionally target specific people within an organization, especially those in authoritarian positions like the CEO or someone similar, or even a trusted customer. The worldwide financial impact due to BEC is huge, especially in the US which has emerged as the prime hub. The solution? Switch to DMARC!

What is DMARC?

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an industry standard for email authentication. This authentication mechanism specifies to receiving servers how to respond to emails failing SPF and DKIM authentication checks. DMARC can minimize the chances of your brand falling prey to BEC attacks by a substantial percentage, and help protect your brand’s reputation, confidential information and financial assets.

Note that before publishing a DMARC record, you need to implement SPF and DKIM for your domain since DMARC authentication makes use of these two standard authentication protocols for validating messages sent on behalf of your domain.

You can use our free SPF Record Generator and DKIM Record Generator to generate records to be published in your domain’s DNS.

How to Optimize Your DMARC Record to Protect Against BEC?

In order to protect your domain against Business Email Compromise, as well as enable an extensive reporting mechanism to monitor authentication results and gain complete visibility into your email ecosystem, we recommend you to publish the following DMARC record syntax in your domain’s DNS:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Understanding the tags used while generating a DMARC Record:

v (mandatory)This mechanism specifies the version of the protocol.
p (mandatory)This mechanism specifies the DMARC policy in use. You can set your DMARC policy to:

p=none (DMARC at monitoring only wherein emails failing authentication checks would still land into receivers’ inboxes). p=quarantine (DMARC at enforcement, wherein emails failing authentication checks will be quarantined or lodged into the spam folder).

p=reject (DMARC at maximum enforcement, wherein emails failing authentication checks will be discarded or not delivered at all).

For authentication novices, it is recommended to start out with your policy at monitoring only (p=none) and then slowly shift to enforcement.However, for the purpose of this blog if you want to safeguard your domain against BEC, p=reject is the recommended policy for you to ensure maximum protection.

sp (optional)This tag specifies the subdomains policy which can be set to sp=none/quarantine/reject requesting a policy for all subdomains wherein emails are failing DMARC authentication.

This tag is only useful if you desire to set a different policy for your main domain and subdomains. If not specified the same policy will be levied upon all your subdomains by default.

adkim (optional)This mechanism specifies the DKIM identifier alignment mode which can be set to s (strict) or r (relaxed).

Strict alignment specifies that the d=field in the DKIM signature of the email header must align and match exactly with the domain found in the from header.

However, for Relaxed alignment the two domains must share the same organizational domain only.

aspf (optional) This mechanism specifies the SPF identifier alignment mode which can be set to s (strict) or r (relaxed).

Strict alignment specifies that the domain in the “Return-path” header must align and match exactly with the domain found in the from header.

However, for Relaxed alignment the two domains must share the same organizational domain only.

rua (optional but recommended)This tag specifies the DMARC aggregate reports that are sent to the address specified after the mailto: field, providing insight on emails passing and failing DMARC.
ruf (optional but recommended)This tag specifies the DMARC forensic reports that are to be sent to the address specified after the mailto: field. Forensic reports are message-level reports that provide more detailed information on authentication failures. Since these reports may contain email content, encrypting them is the best practice.
pct (optional)This tag specifies the percentage of emails to which the DMARC policy is applicable. The default value is set to 100.
fo (optional but recommended)The forensic options for your DMARC record can be set to:

->DKIM and SPF don’t pass or align (0)

->DKIM or SPF don’t pass or align (1)

->DKIM doesn’t pass or align (d)

->SPF doesn’t pass or align (s)

The recommended mode is fo=1 specifying that forensic reports are to be generated and sent to your domain whenever emails fail either DKIM or SPF authentication checks.

You can generate your DMARC record with PowerDMARC’s free DMARC Record Generator wherein you can select the fields according to the level of enforcement you desire.

Note that only an enforcement policy of reject can minimize BEC, and protect your domain from spoofing and phishing attacks.

While DMARC can be an effective standard to protect your business against BEC, implementing DMARC correctly requires effort and resources. Whether you are an authentication novice or an authentication aficionado, as pioneers in email authentication, PowerDMARC is a single email authentication SaaS platform that combines all email authentication best practices such as DMARC, SPF, DKIM, BIMI, MTA-STS and TLS-RPT, under the same roof for you. We help you:

  • Shift from monitoring to enforcement in no time to keep BEC at bay
  • Our aggregate reports are generated in the form of simplified charts and tables to help you understand them easily without having to read complex XML files
  • We encrypt your forensic reports to safeguard the privacy of your information
  • View your authentication results in 7 different formats (per result, per sending source, per organization, per host, detailed stats, geo location reports, per country) on our user-friendly dashboard for optimal user-experience
  • Gain 100% DMARC compliance by aligning your emails against both SPF and DKIM so that emails failing either of the authentication checkpoints do not make it through to your receivers’ inboxes

How Does DMARC Protect Against BEC?

As soon as you set your DMARC policy to maximum enforcement (p=reject), DMARC protects your brand from email fraud by reducing the chance of impersonation attacks and domain abuse. All inbound messages are validated against SPF and DKIM email authentication checks to ensure that they arise from valid sources.

SPF is present in your DNS as a TXT record, displaying all the valid sources that are authorized to send emails from your domain. The receiver’s mail server validates the email against your SPF record to authenticate it. DKIM assigns a cryptographic signature, created using a private key, to validate emails in the receiving server, wherein the receiver can retrieve the public key from the sender’s DNS to authenticate the messages. With your policy at reject, emails are not delivered to your recipient’s mailbox at all when the authentication checks fail, indicating that your brand is being impersonated. This ultimately keeps BEC like spoofing and phishing attacks at bay.

PowerDMARC’s Basic Plan for Small Businesses

Our basic plan starts from only 8 USD per month, so small businesses and startups trying to adopt secure protocols like DMARC can easily avail of it. The advantages that you will have at your disposal with this plan are as follows:

Sign up with PowerDMARC today and protect your brand’s domain by minimizing the chances of Business Email Compromise and email fraud!

/by