Adding DMARC records

Looking to ensure better fraudulent protection for your emails? Setting up a DMARC record will definitely work towards this!

The below will guide you on how you can achieve this:

  • What is DMARC?
  • How DMARC works?
  • Publish DMARC for your domain
  • Rollout DMARC policy in a phased manner

What is DMARC?

Domain-based Message Authentication, Reporting & Conformance, or DMARC,  is an email authentication protocol. DMARC makes use of the domain's SPF and DKIM records to improve and monitor the protection of the domain from fraudulent email. It also allows a reporting function for the senders and receivers to implement this.

The spammers ofter forge the "From" address to make it seem that the email is sent from your domain. To prevent this type of abuse using your domain, and to let the other recipient domains know about your outgoing domain policies, you can publish a DMARC record.

How DMARC works?

A DMARC policy helps the sender indicate that their emails are protected by SPF and/or DKIM record and tells the receiver what action to perform should the SPF and DKIM checks fail.

If an email that uses your domain's email address, fails the DKIM and/or SPF test, then the DMARC policy will be triggered.

You need to configure the SPF Records and DKIM Keys for your domains before you publish the DMARC Policy.

In case of failure of SPF and DKIM checks, DMARC can tell the recipient to quarantine or reject the spoofed email. It also provides the recipient the way to report back to the sender about the emails that pass and/or fail the DMARC policy.

The DMARC policy will be effective only if you send emails through your own domain. Emails sent on behalf of your domain, using third-party services may appear unauthenticated and get rejected based on the DMARC policy.

To authorize the emails via third-party providers, you need to share the DKIM key to be included in the email headers or the emails should be sent through SMTP servers that already have the authorized DKIM keys and SPF records published.

Publish DMARC for your domain

To publish the DMARC policy for your domain, you would need to create a TXT record in your domain control panel of the below format(yourdomain.com has to be replaced with your domain name):

Host Name of the TXT record _dmarc
TXT record value v=DMARC1; p=none; rua=mailto:admin@yourdomain.com

The p=none is the basic policy that is recommended. You can later change it to p=quarantine and then to p=reject. The reports from the recipients would be sent to the email address mentioned above in the TXT record.

Rollout DMARC policy in a phased manner

It is recommended to rollout the DMARC policy in a phased manner as this lets you start getting reports without risking emails from your domain being rejected or marked as spam by receiving servers. 

To roll out in a phased manner, you will change the parameter 'p' from none to quarantine and finally to reject. Similarly, during Phase 2 or (Quranantine phase) and Phase 3 (Reject phase), you can make use of the optional parameter 'pct' to control the percentage of emails that are being quarantined or rejected. 

Phase 1: Monitor Reports and Traffic 

Following the format mentioned above, you can set the policy to p=none in this phase. 

Host Name of the TXT record _dmarc
TXT record value v=DMARC1; p=none; rua=mailto:admin@yourdomain.com

This sends you the reports of violation to the email address specified in the policy. You can review these reports to find out:

  • What servers or third-party senders are sending mail for your domain
  • What percent of messages from your domain pass DMARC
  • Which servers or services are sending messages that fail DMARC 

You can review the sources, and maybe include the valid IP addresses in your SPF records or configure the source with DKIM if they're legitimate. Once you find the reports with only valid spoofed emails, you can change the policy to Quarantine. 

Phase 2: Quarantine Emails and Analyze

After monitoring DMARC reports for at least a week with no adverse results, update your policy to quarantine, and add the pct tag to apply the policy to a small percent of your mail.

Host Name of the TXT record _dmarc
TXT record value v=DMARC1;  p=quarantinepct=10; rua=mailto:admin@yourdomain.com

This sends you the reports of the violation to the email address specified in the policy, and also sends such emails to Quarantine. In the above example, the policy is applied to only 10% of messages received by mail servers.

The DMARC policy affects all the emails received by mail servers. If the record does not include the pct tag, then the policy is applied to all the emails sent from your domain.

Messages that don’t pass DMARC are delivered to recipients’ spam folder. Only a small percent of messages are impacted, and recipients can review messages that are sent to spam. Every mail server that gets mail from your domain sends daily reports to admin@yourdomain.com

You can monitor the emails in the Quarantine and approve or reject emails from the Quarantine. You can revisit your reports and also monitor the Quarantine emails.

Through this, you can gradually increase the percent of emails affected and reduce the risk of many emails being rejected or getting marked as spam.

Phase 3: Reject Spoofed emails

This is the last step in rolling out the DMARC policy for your domain. You can set the policy to p=reject in this phase. 

Host Name of the TXT record _dmarc
TXT record value v=DMARC1; p=reject; rua=mailto:admin@yourdomain.com

When you are sure that most or all of your emails are passing the authentications(SPF and DKIM), you can apply this stricter DMARC policy.

All the emails that fail the authentication, will be rejected. You may keep a track of such emails via the reports sent to the email address mentioned in the TXT record.

That's it! Your domain should be protected efficiently from fraudulent emails by following the above steps. Feel free to write to us at support@onlydomains.com for any assistance with the above.

Was this article helpful?
0 out of 0 found this helpful