DMARC is one of the key methods for protecting your emails from spoofing. Yet, only half of Fortune 500 companies have implemented it so far. Is it because the setup is difficult? Absolutely not. Setting up DMARC is really easy and won’t take more than 15 minutes. Learn how to do it with our guide.
DMARC, DKIM, and SPF – The Basics
We’ve covered extensively various authentication methods on our blog. Let’s quickly revamp the most important details about each.
SPF (Sender Policy Framework) is used to let the receiving servers know which IP addresses are allowed to send emails on your behalf. When an email is received, a quick verification is run. If an unrecognized IP was used, an email is likely to be discarded. Read a lot more about it in our SPF article.
DKIM (Domain Keys Identified Email), on the other hand, is a digital signature that’s attached to outgoing emails. It features the headers and/or body of a message, encrypted with an individual key. The receiving server can then recreate these values and quickly detect if anything was changed en route. If that was the case, a message is also likely to never arrive in the receiver’s inbox. We have it covered too in our DKIM article. Here’s how to set one up.
Finally, DMARC (Domain-based Message Authentication Reporting and Conformance) works on top of the two other methods (at least one of them needs to be set up for DMARC to work). On top of DKIM/SPF, DMARC will perform an alignment test to add another layer of security. Finally, it will instruct a receiving server on what to do if either of the checks fail. More about this below, but if you’re anxious to learn a lot more about this technology, we recommend our ‘What is DMARC’ article as a good source of knowledge.
How to Implement DMARC Records
Once you know the structure of DMARC, setting it up is as easy as adding several lines of text to your DNS Records. If you, however, want to make sure it really works from the get-go, we suggest running a few additional checks. Otherwise, you may accidentally instruct the servers to get rid of your perfectly legitimate emails.
The whole process comes down to the following steps:
- Validating if SPF/DKIM are set up and domains aligned
- Generating a DMARC record and specifying its settings
- Adding it to your domain’s DNS
Let’s talk about each of these steps in more detail.
Verify if DKIM and/or SPF are set up properly
As mentioned earlier, having either of them is compulsory for DMARC to work. But having one that returns negative results for legitimate emails will also do no good. The DMARC test will fail automatically if SPF or DKIM fails.
In the respective articles mentioned above, we’ve mentioned various tools for validating either method. Check them out before you proceed further.
Check domain alignment
DMARC forces receive servers to perform a domain alignment test on top of the traditional SPF/DKIM validations. That’s why it’s imperative to have everything in place to avoid unpleasant surprises.
If you have only SPF set up (don’t forget to avoid multiple SPF records), check if the following two match:
- ‘Envelope from’ address – the address emails are sent from
- ‘Return-path’ address – the address emails will be directed to if a recipient responds to an email
If you rely only on DKIM, check if the following two match:
- ‘Envelope from’ address – the address emails are sent from
- ‘d’ tag of your DKIM record
If you use both methods (and rightly so!), perform both checks, of course.
Ideally, all the domains or subdomains should precisely match. In a DMARC record, you’ll be able to choose a more relaxed method, aptly named ‘relaxed.’ This way, emails sent from e.g. mailtrap.io would be aligned with those sent from mailtrap.io/blog (or any other mailtrap.io subdomain).
Choose an email account for receiving DKIM records
A great thing about DMARC is that, when set up, your server starts sending you daily reports of how your emails performed (separate aggregate and forensic reports). This way, you can quickly spot any abnormalities and improve your performance with the use of data. It is pretty handy especially if you set up DMARC for the first time and want to know if you did it right.
You can pick virtually any email address here. It may even be better to use a different one than the “return-path,” as your inbox is likely to become flooded with these reports.
Keep in mind that reports are sent in a raw, hard to read format. You may want to use tools like Dmarcian or MXToolbox to get the most out of the data.
Choose how to treat emails that fail a DMARC check
DMARC gives you the power to influence how your emails are treated if they fail a check. There are three possible scenarios:
- Reject – emails are discarded and won’t be delivered (hard bounce)
- Quarantine – emails will be sent to a spam folder, likely never to be retrieved by the recipient
- None – even if a check fails, nothing will be done
The ‘none’ option isn’t as useless as it might sound at first. Although it won’t prevent you from spoofing if other methods fail, it’s great in the first days of using DMARC. You can set it up and have your emails delivered as usual, but at the same time keep receiving reports on DMARC performance. When you’re confident that legitimate emails go through, you can change the DMARC settings to different ones.
Please be aware that the rules you pick here are only suggestions sent to receiving servers and by no means do they guarantee the desired action will be taken. If DMARC fails, emails can still be delivered even if you ordered them to land in spam. Also, the other way around.
You’ll be able to add your pick in the next step.
Generate DMARC record
There are several tags you need to use in a record and a number of optional ones. Once again, refer to the DMARC article we mentioned earlier for the details. Note that the ‘p’ tag (as in ‘policy’) will be a direct representation of the previous step.
An example of the DMARC record will look as follows:
v=DMARC1; p=reject; rua=mailto:firstname.lastname@example.org,mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; fo=1;
This rule indicates that emails that fail a DMARC check should be rejected. Aggregate reports should be sent to me and my colleague Ann while Steve from another team should handle forensics reports.
Add DMARC record to your domain’s DNS
Once you have your record, you can go ahead and add it as a DNS Record. You may be able to do it on your own or, in some cases, with the help of your hosting provider.
In the domain registrar, you need to add the newly-created DMARC as a TXT record. We won’t go through any details here as the process differs for each provider. If you did everything correctly, though, you should receive your first reports within the next 24 hours.
As you can see, the process of adding a DMARC record is far from difficult. We hope you found it useful but always welcome any feedback – let us know your thoughts at email@example.com.
Before you send any large volume of emails, be sure to check out Mailtrap. It’s a tool for testing emails before they’re sent to real users. You can preview them, get tips on how to improve them, and monitor if the right emails are sent to the right people. You can try Mailtrap for free.