Setting up DMARC
DMARC is the latest standard for enforcing domain authentication, which is critical in ensuring email security. While previous standards focused on communicating authenticity to the receiving email system, DMARC provides the email administrator control over defining what their policies are and also receiving reports on any quarantine actions being taken by 3rd parties relating to their domain.
This last point is extremely useful in improving email deliverability, especially in this era of integrated third party systems. If a new system has not been fully configured within your domain authentication policies it may result in emails being quarantined by external email systems. Before DMARC, the email administrator would have no visibility of this and could only rely on a third party reporting it to them personally.
Mailsphere recommends that a two stage implementation is performed. The first phase will request reports are sent back for any emails failing your desired authentication policy. This will help identify any false positives that you may not have been previously aware of.
After a few weeks of running this configuration, the DMARC policy will be tightened to control actions for emails that fall outside of the policy.
The following provides some sample DMARC records that can easily be adapted for use in your DNS records.
Phase 1 - Report Only Configuration
Access your DNS records and add a new TXT record. In this example we will set the DMARC record to instruct the receiving email system to not act on the SPF or DKIM record but send a report when a email is processed that does not meet either.
Make sure that a legitimate email address is used in replace of the example domains@your_domain.com.
v=DMARC1; p=none; rua=mailto:domains@your_dmain.com; ruf=mailto:domains@your_dmain.com; fo=1; adkim=r; aspf=r
Phase 2 - Quarantine Configuration
Once the email administrator is satisfied that all legitimate email is being received by external email systems successfully and that only illegitimate email appears in the reports, then the DMARC record can be updated to enforce a more strict control on the policy.
It will depend on the configuration of your email and the third parties that are in use. If you can only guarantee SPF policies across all the systems that are being used then the following record can be used:
v=DMARC1; p=quarantine; rua=mailto:domains@your_domain.com; ruf=mailto:domains@your_domain.com; fo=1; adkim=r; aspf=s; sp=quarantine
The addition at the end of this record instructs the receiving email system to quarantine all emails that are not conforming to the SPF record.