KB - How do I set up DMARC for my domain?

Introduction

If you're running a business, then you know that protecting your domain is essential. One way to do this is by setting up DMARC for your domain. DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It's a fairly new protocol, but it's already becoming the industry standard for email authentication.

Why should you use it 

There are many reasons why you should publish a DMARC policy. Here are just a few:

• helps protect against phishing attacks that try to steal user passwords and personal information
• prevents bad actors from spoofing your company's domain name and impersonating your brand
• helps ensure the legitimacy of your email communications
• protects your business from online fraud

How does it work

DMARC helps email receivers determine if the alleged author (i.e. email address displayed in the "From" field of the email client) of an email is legitimate or not, and allows domain owners to specify how they want their emails authenticated, and how they would like recipients to handle messages that fail authentication. DMARC also allows email receivers to report back to the domain owner any messages that were not authenticated. This way, the domain administrators can see which emails are not being authenticated and take steps to fix the issue.

Behind the secenes

When your email server receives an incoming email, the DMARC Test extracts the content of the "From" header and checks whether the domain in the author email address matches the domain in the sender email address verified by the SPF Test and/or with the signing domain of the signature verified by the DKIM Test. If there is a match, that means the email's author is legitimate and the email has passed the DMARC Test.

Prerequisites

DMARC relies on two other email authentication standards, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), and you must have at least one of these set up in your domain before publishing a DMARC policy. See the related KBs if you need help setting them up: SPF Setup.

Publishing a DMARC policy

To set up DMARC for your domain, you will need to create a TXT type DNS record in the zone file of the DNS server authoritative for your domain, under _dmarc.your-domain.com. The contents of the record should look something like this:

v=DMARC1; p=quarantine;

In the example above, the DMARC record states that any email which fails the DMARC check should be "quarantined". Other options are "p=reject" to reject emails, and "p=none" to only monitor the results and ignore DMARC verification failures. If you want to receive feedback on emails that fail the DMARC check, you can use the "rua" tag to ask the receiver to send aggregated general failure reports to a specified email address:

v=DMARC1; p=quarantine; rua=mailto:[email protected];

You may also request the receiver to send you a detailed forensic report for each email that failed the DMARC check by adding the "ruf" and "fo" tags to the record:

v=DMARC1; p=quarantine; fo=1; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

To find out more about these tags or to see what else can be added to the DMARC record, please refer to section 6.3 of the official DMARC specification: https://datatracker.ietf.org/doc/html/rfc7489#section-6.3

Verifying the DMARC policy

Use the DMARC Policy Tester tool on our website to check if the published DMARC record is valid: https://vamsoft.com/support/tools/dmarc-policy-validator

Conclusion

DMARC is an important security protocol that helps protect your business from online fraud. It's essential to set up DMARC for your domain and ensure that email messages are being authenticated correctly. By setting up DMARC, you can rest assured that your email communications are safe and secure.