What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication, policy and reporting protocol that allows organizations to protect their domain against unauthorized use — including spoofing and phishing. Before you can qualify for a VMC, you must first ensure your organization is compliant with DMARC.
This process can take weeks or months, depending on the size of your organization (bigger = longer). So it’s best to get started right away.
This blog is a surface-level guide to give you some insight into the basic process. For a more in-depth, step-by-step tutorial, we invite you to download our comprehensive DMARC and BIMI guide.
What you'll need
Before you get started, make sure you have:
The first step to becoming DMARC compliant is to set up Sender Policy Framework (also known as SPF, despite smelling nothing like cocoa butter and/or coconut). This will prevent unauthorized IP addresses from sending emails from your domain.
But first, make a list of all the authorized IP addresses you can find that currently send mail from your domain.
Don’t worry if you can’t find every IP address yet. DMARC monitoring (step 4) will take care of that for you. But it is good to save yourself some time by gathering as many as you can at this point.
Step 2: Create an SPF record for your domain(s)
Next, open your handy text editor and create an SPF record for each domain.
Example 1: v=spf1 ip4:220.127.116.11 ip4:18.104.22.168 ip4:x.x.x.x -all
Example 2: v=spf1 ip4:22.214.171.124 ip4:126.96.36.199 include:thirdparty.com -all
Once you’re done, save the file and publish it to your DNS.
Use an SPF tool (like this one from our partner, Valimail) to make sure everything was entered correctly.
Step 3: Set up DKIM
DKIM is an email authentication standard that uses public/private key cryptography to sign email messages. It prevents messages from being tampered with in transit.
1. First, choose a DKIM selector.
Example: “standard._domain.example.com” = host name
2. Next, generate a public-private key pair for your domain.
Windows: Use PUTTYGen
Linux/Mac: Use ssh-keygen
3. Create and publish a new .TXT record through your DNS management console.
It should look like this: v=DKIM1; p=YourPublicKeyStep 4: Monitor. Communicate. Repeat
Now comes the most important step. It also happens to be the most time consuming. Now you’ll have to set up DMARC to begin monitoring your current email traffic to give you a solid baseline for what’s approved (and what will eventually be quarantined or rejected by DMARC).
NOTE: While it may be tempting to skip directly to enforcement, taking the time to monitor now will prevent important messages from getting lost or permanently deleted once DMARC is fully enabled.
Here’s how to start monitoring your traffic through DMARC:
1. Ensure you’ve correctly set up SPF and DKIM.
2. Create a DNS record.
The “txt” DMARC record should be named similar to “_dmarc.your_domain.com.”
Example: "v=DMARC1;p=none; rua=mailto:dmarcreports@your_domain.com"
If you manage the DNS for your domain, create a “p=none” (monitoring mode) DMARC record in the same manner as the SPF and DKIM records.
If you don’t manage the DNS, ask your DNS provider to create the DMARC record for you.
3. Test your DMARC record through a DMARC check tool.
Note: You usually have to wait 24-48 hours for replication
DMARC will now begin generating reports that will give you a lot of visibility into the mail being sent through your domain, including any messages flagged by SPF and DKIM.
Important: This is where you’ll find out if any legitimate senders appear in the report who weren’t previously included in your SPF record (step 1). If there are, make sure to update your record accordingly.
The problem? These reports come in a not-so-easy-to-read XML file. And since you’ll be spending quite a bit of time going over the data, we highly recommend using a DMARC report processor (like this one from Valimail) to make it all a lot easier to parse.
Step 5: Socialize, then start stepping up enforcement
After you’ve monitored your mail for enough time that you believe you’ve identified any legitimate messages that are being flagged as unauthorized, it’s time to start stepping up enforcement.
DMARC has two enforcement levels: “quarantine” and “reject.” “Reject” is obviously much more secure, and therefore our ultimate recommendation, but either level will qualify your domain for a VMC.
Before jumping straight to reject, however, the safest bet is to spend some time in quarantine. Here’s how:
1. Log in to your DNS server and search for the DMARC record.
2. Open the DMARC record for the specified domain and update the policy from “p=none” to “p=quarantine”
3. Add the flag “pct” (% of messages subject to filtering). We suggest starting with 10% and slowing increasing the percentage until you’re at a full 100%.
Once you’re at 100% filtering, you’re officially VMC-qualified and ready to start rejecting.
Thankfully, this is the easiest step:
1. Open your DMARC record and change “p=quarantine” to “p=reject”
Congratulations! You’ve officially gained a lot of visibility into the messages being sent from your domain, increased security for every user, insulated yourself against a large number of phishing attacks and qualified your organization for a VMC certificate (once they become available).
For more information on securing your organization's email access, check out our blog on secure remote email access.