Test
How Can We Help?
← All Topics
You are here:
Print

Adding A DMARC Policy to Your Emails

DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is an email authentication, policy, and reporting protocol. It’s designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing.

The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams, and other cyber threat activities.

Here’s an overview of its key components:

  1. Email Authentication Methods: DMARC relies on two established email authentication techniques, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
    • SPF allows senders to define which IP addresses are allowed to send mail for a particular domain.
    • DKIM provides an encryption key and digital signature that verifies that an email message was not faked or altered.
  2. Alignment: DMARC checks that the domain in the “From” address aligns with the domains validated by SPF and/or DKIM. This alignment helps ensure that the sender is authorized to send email on behalf of the domain.
  3. Policy Enforcement: DMARC allows domain owners to specify how email receivers should treat emails that don’t pass DMARC checks. There are three possible policies:
    • none: Treat the mail the same as it would be without any DMARC validation.
    • quarantine: Place the email in the spam/junk folder.
    • reject: Block the email from delivery altogether.
  4. Reporting: One of the key features of DMARC is the reporting mechanism. Domain owners can receive reports on the number of messages seen using their domain, how many passed/failed the DMARC checks, and what action was taken by the receiving mail servers. These reports are crucial for understanding the domain’s email ecosystem and identifying potential authentication issues or malicious activities.
  5. Benefits: Implementing DMARC helps to:
    • Increase deliverability of legitimate emails.
    • Gain visibility into how the domain’s email is being used and abused.
    • Protect the domain’s reputation and trust among users by reducing the risk of phishing attacks.
    • Comply with various regulatory requirements for email security.

DMARC is a powerful tool in the fight against email spoofing and phishing, but it requires careful setup and ongoing management. Its effectiveness is significantly increased when used in conjunction with SPF and DKIM. For businesses and organizations, DMARC can be a critical component of a comprehensive email security strategy.

Because it relies on either SPF Records or DKIM Signing (or both), it’s recommended to set up those security features first.

  1. Here’s how to set up SPF Records for your domain sending through Author.Email
  2. Here’s how to set up DKIM Signing for your domain sending through Author.Email

To watch a video with Nick Thacker, founder of Author.Email, walking through all of this, just click here!

Once you’ve set those up, we recommend reviewing the options you have available to you regarding DMARC setup. Each of these “tags” is available to you, and can be assigned to your domain as a TXT record in your domain’s DNS settings:

DMARC Protocol Version: The standard setting is “DMARC1”, which signifies the version of the DMARC protocol in use.

Policy (p): This directive determines the action to be taken on emails that do not pass the DMARC evaluation. Options include ‘none’, ‘quarantine’, or ‘reject’. The ‘none’ option is primarily used for accumulating DMARC reports, providing insights into the performance and status of current email flows.

Aggregate Report URIs (rua): This is where you specify URIs for email service providers to send cumulative reports. It’s important to note that these are URIs, not email addresses. The typical format for these URIs is ‘mailto:test@example.com‘, as required by DMARC.

Forensic Report URIs (ruf): Similar to ‘rua’, this is where Internet Service Providers (ISPs) are directed to send detailed forensic reports. Again, these should be in the URI format, such as ‘mailto:test@example.org‘, not mere email addresses.

Subdomain Policy (sp): This tag allows domain owners to set a policy for emails from subdomains that fail the DMARC check. It acts like a ‘wildcard’ policy applicable to all subdomains.

Forensic Options (fo): These options dictate the conditions under which forensic reports are generated. The choices include ‘0’ (reports are generated only if both DKIM and SPF fail), ‘1’ (reports are generated if either DKIM or SPF fails), ‘d’ (for DKIM failure), and ‘s’ (for SPF failure).

Report Format (rf): This defines the format for forensic reports.

Percentage (pct): This tag specifies the proportion of failing emails to which the DMARC policy should be applied. For instance, ‘pct = 50’ means the policy will be enforced on 50% of the emails that fail DMARC checks. It’s noteworthy that this does not apply to the ‘none’ policy, but only to ‘quarantine’ or ‘reject’.

DKIM Alignment Mode (adkim): This setting dictates the alignment requirements for DKIM signatures. The ‘r’ (Relaxed) mode allows for DKIM-signed domains sharing an Organizational Domain with the email’s From domain to pass the DMARC check. The ‘s’ (Strict) mode requires an exact match.

SPF Alignment Mode (aspf): Similar to ‘adkim’, this sets the alignment requirements for SPF. The ‘r’ (Relaxed) mode passes SPF authenticated domains that share an Organizational Domain with the email’s From domain, while ‘s’ (Strict) demands an exact match.

Reporting Interval (ri): This indicates the preferred frequency for receiving aggregate XML reports. While the preference might be set by the domain owner, ISPs may deliver these reports at different intervals, typically on a daily basis.

If you would like to set up and configure your DMARC record for your domain, we recommend using DMARCLY’s free DMARC record generator.

Table of Contents