What is DMARC? It stands for Domain-based Message Authentication, Reporting and Conformance. It is an open protocol for authenticating emails. It can help prevent phishing emails from being delivered to the targeted victims’ inboxes.
There are two important aspects of DMARC. The first is something email administrators can do immediately. Go into your email filter and enable DMARC enforcement. You’ll do this by enabling SPF checking and DKIM checking. You will not want to block strictly due to SPF or DKIM failure. This would lead to a lot of false-positives. Instead, enable checking for the these authentication mechanisms but don’t enforce them. Then go to DMARC and enforce it. By doing this, you’re telling your email system to filter emails based on the sender’s published DMARC policy. If a sender does not have a DMARC record or their record specifies a “None” policy, DMARC won’t block any of their emails. However, if a sender has a DMARC “quarantine” or “reject” policy, you’ll quarantine or reject emails that don’t pass SPF and DKIM. Remember, as long as one of them passes, DMARC will pass. The overwhelmingly vast majority of sending domains that have a “reject” or “quarantine” DMARC policy are confident they have it set up correctly and are asking you, the email recipient, to not accept emails that fail this authentication.
This step is simple and vital. PLEASE! Please enforce DMARC on your email gateway. Keep many of the fraudsters out of your users’ mailboxes!
The second aspect of DMARC is to protect your own domain from having emails sent to your customers that appear to come from you but are actually sent from scammers. There’s definitely more to protecting your own domain than just enforcing it on your gateway, but please start the process. There is one very important step to start this process. It is this:
Set up a DNS TXT record for your domain with the name _dmarc.youremaildomain.com. Include an email address that will accept the aggregate reports and the forensic examples. Set the policy to “none”. Once this is done, you can take your time and work through the process. The “none” policy tells recipient servers to not enforce DMARC for your email domain as they normally would. Email deliverability won’t be affected unless and until you change this to a “quarantine” or “reject” policy. Take the aggregate and forensic reports sent by recipient email servers and begin the process of ensuring all emails sent on behalf of your domain are authenticated by at least one but preferably both authentication mechanisms: SPF and DKIM. Once no more legitimate emails being sent on behalf of your domain are failing DMARC, move to a “quarantine” or preferably “reject” policy.
I’ll give more in-depth steps on how to accomplish this some time in the future but for now, let’s get the process started! I would sincerely appreciate it if you do!
–Matt