It’s getting bad out there with emails and I don’t mean those reply all conversations that you cannot escape from. I mean spam, phishing, malware, and many other risks related to our organizations’ use of email. It is easy to feel helpless in the face of it. For me, it was email spoofing and CEO Fraud. I looked at these malicious mail servers pretending to use my domain and was unaware that the tools were already available to protect me and my organization.
A few years back, my CEO contacted me as he was being flooded with replies from people who had received a phishing email from his email address. My first thought was that there was nothing we could do about it as we didn’t manage those mail servers, but then I learned about DMARC and how it can protect recipients from malicious senders who attempt to spoof your domain.
What is DMARC?
DMARC (“Domain-based Message Authentication, Reporting, and Conformance”) is both a policy for authenticating email and a protocol for reporting. The policy provides instructions for handling SPF and DKIM authentication failures. The reporting protocol provides the instructions for reporting successes and failures.
When a mail server receives an email claiming to be from your domain it attempts to authenticate it using your SPF and DKIM settings. If it fails both it will consider it junk/spam and handle it according to your DMARC policy. Typically, this is simply routing the message to the Junk mail folder. The mail server will also send a report to the email address(es) specified in the policies with the results of the emails received since the last report. Typically, daily.
The good news is that DMARC is very low cost to implement. It is simply a DNS entry. There are services out there that help you implement DMARC and provides reporting tools for reviewing the various reports that come in each day. We will take a look at both in this article.
Is Your Domain Protected?
I was surprised to learn that adoption of DMARC is still very low. Your organization may be one that is already protected and you can pat yourself on the back or thank your staff or vendor responsible for setting this up. Let’s find out.
My favorite tool for verifying domains is from Dmarcian. It is free and checks your SPF, DKIM, and DMARC at the same time. DMARCAnalyzer has free tools as well, but you have to check each separately.
- Domain Checker by Dmarcian
- SPF Record Checker by DMARC Analyzer
- DKIM Record Check by DMARC Analyzer
- DMARC Record Check by DMARC Analyzer.
How to Setup DMARC
Since DMARC depends on SPF and DKIM, these should be setup as well. At minimum, SPF should be configured for each authorized mail server as not all support DKIM yet.
Your Sender Policy Framework (SPF) entry is a TXT entry placed in the DNS record of the domain you are protecting.
Here is a sample entry that authorizes Google/G-Suite to send emails for your domain and all other servers to Soft Fail (“accepted but tagged”).
v=spf1 include:_spf.google.com ~all
Here is a sample entry that authorizes Office 365 to send emails for your domain and all other servers to fail (i.e., be rejected).
v=spf1 include:spf.protection.outlook.com -all
If you have other services, like MailChimp, that send emails on your behalf you would include them in the same DNS entry.
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all
Be sure to watch your “all” entry and make sure is reflects the current state of your implementation.
- Initial Setup (No policy):
- Debugging (Soft Fail):
- Secured (Reject):
If you use Office 365, then your SPF entry was likely already added when it is was setup. Here are the instructions for G-Suite.
DKIM is supported by both G-Suite and Office 365, but has varied support by other mail service vendors. Here are the instructions for both G-Suite, Office 365, and MailChimp.
- G-Suite: Set up DKIM to prevent email spoofing.
- Office 365: Use DKIM to validate outbound email sent from your custom domain in Office 365.
- MailChimp: Set Up Custom Domain Authentication: DKIM and SPF.
Like SPF, DMARC is a TXT entry in your DNS record. I recommend selecting a DMARC reporting solution to help monitor your reports as you implement. If you don’t want a service, then you can have the XML reports emailed to you to review.
Select a DMARC Reporting Solution
Here are a few of the services I have worked with.
Dmarcian is a mature and solid solution. It has been my go to solution for mid-sized businesses and personal use. I appreciate their efforts to improve DMARC adoption through their free tools and frequent communications. The only con for me is that their UI is starting to look dated compared to other services.
DMARC Analyzer is another solid solution. Their setup wizard is easy and intuitive. It is my go to for small organizations for its “Fremium” option of less than 25,000 outbound emails per month. It is also a little cheaper than Dmarcian at 100,000 outbound emails per month.
URIPorts is a newer player in this space. They have a modern interface and provide a number of additional logging and reporting tools including: Network-Error-Logging, Content Security Policy, and SMTP TLS Reporting. Although they don’t have a free tier, they have the lowest cost for 100,000 outbound email per month.
Here is a simplified pricing comparison…arguably oversimplified. This is an attempt at an “apples to apples” comparison, but each offering is little different so you should review their features and setup a free trial.
|Small Business (<25,000/month)||$19.99/month||Free||$5/month|
|Small Business (<100,000/month)||$19.99/month||$18.99/month||$5/month|
|Medium Business (<500,000/month)||$199/month||$79.99/month||$25/month|
|Medium Business (<1,000,000/month)||$199/month||$149.99/month||$100/month|
Setting Up DMARC
Setting up your initial DMARC policy is as easy as adding a new TXT entry to your DNS record. If you setup one of the DMARC Reporting solutions above they will have provided you the policy to use. It likely looks something like this.
HOST: _dmarc TYPE: TXT VALUE: "v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org;"
Once you add this entry to your DNS you will start getting reports delivered to the provided email address. Add multiple email addresses by separating the mailto’s with a comma.
HOST: _dmarc TYPE: TXT VALUE: "v=DMARC1; p=none; rua=mailto:email@example.com,mailto:firstname.lastname@example.org;"
While p=none, you will just get reports of the successes and failures delivered to the email addresses. This can be helpful to identify services delivering on your behalf that you were unaware of or overlooked. In one implementation, I discovered that the HRIS system was sending emails to our employees using our domain.
Once you have identified all of the authorized mail servers, added them to you SPF entry, and enabled DKIM, if available, then you are ready to start enforcing your DMARC policy. The recommendation is to gradually implement from quarantine to ensure there is no disruption to your email delivery.
- p=none pct=100
- p=quarantine pct=1
- p=quarantine pct=5
- p=quarantine pct=10
- p=quarantine pct=25
- p=quarantine pct=50
- p=quarantine pct=100
- p=reject pct=1
- p=reject pct=5
- p=reject pct=10
- p=reject pct=25
- p=reject pct=50
- p=reject pct=100
Regardless of your increments and the time you spend on each step, the goal is once you are fully implemented to you are at p=reject pct=100.
HOST: _dmarc TYPE: TXT VALUE: "v=DMARC1; p=reject; pct=100; rua=mailto:email@example.com;"
Did that help?
Email spoofing is a serious problem and can compromise your organization’s reputation and your customers/clients privacy. I hope this makes it easier for you to get started with DMARC today.