What is DMARC, why it's important and how to implement it? How to implement SPF and DMARC for sending and non-sending domains?
WHAT IS IT & WHY IT’S IMPORTANT
What is an email spoofing policy (DMARC)?
DMARC stands for “Domain-based Message Authentication, Reporting and Conformance”. It’s an email validation system designed to protect your company’s email domain from being used for email spoofing, phishing scams and other cybercrimes.
DMARC empowers SPF by stating a clear policy which should be applied and allows to set an email address which can be used to send the statistics reports regarding a specific domain. Both methods use DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send email on behalf of your domain.
You can find out a bit more about this on our blog here:
https://www.kynd.io/it-wouldnt-happen-to-us-famous-last-words/
WHAT TO DO & HOW
How to configure SPF and DMARC for a SENDING domain?
Start by creating a statement, known as a Sender Policy Framework (SPF) record, specifying all the infrastructure that sends emails on your behalf.
Publish the SPF record within a policy known as Domain Message Authentication Reporting and Conformance (DMARC).
Begin by using your DMARC to monitor emails being sent on your behalf. If you get to this point, well done! You're now aware of any spoofing attempts that are being made on your organisation's email addresses.
Based on these reports, over time you'll be able to slowly progress your DMARC policy to first warn recipients of illegitimate emails, before progressing further to stop those emails from being received at all! Many organisations may be on this journey of understanding & monitoring their emails with minimal settings, which is why they are currently spoofable. They'll be aware of any attempts to do so, and in time will be able to refine their settings to become more and more resilient.
It is recommended that a DMARC policy is implemented gradually and with a phased approach:
Phase 1: Implement a DMARC policy of 'none'
Phase 2: Move to a DMARC policy of 'quarantine'
Phase 3: Move to a DMARC policy of 'reject'
In Phase 1, you would update your TXT DNS record on _dmarc.example.com It should look something like this:
v=DMARC1; p=none; rua=mailto:user@example.com
The p=none part of the above record means that none of your outbound emails will be affected in this phase, the rua part specifies an email address for you to aggregate reports for all of your outbound emails, including whether they passed or failed the SPF authentication check. For the rua address you would probably want to use a generic email inbox (e.g. emails@example.com or dmarc@example.com).
Phase 1 is essentially a monitoring phase, none of your outbound emails will be affected but you will be collecting reports of all outbound emails (both, legitimate internal and marketing email - but also from sources which are spoofing your domain).
Also, further useful guidance can be found in this guide from the UK's National Cyber Security Centre:
https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing/implement-a-dmarc-policy-of-none
How to configure SPF and DMARC for a NON-SENDING domain?
New domains registered to your organisation are can be a key target for cyber criminals, who can use the new domains to send spoof emails or as opportunities for attacks.
When registering additional domains which aren't used for email, paste this SPF as a txt DNS record on each domain:
v=spf1 -all
And paste this DMARC as a txt DNS record on _dmarc.example.com for each domain:
v=DMARC1 p=reject rua=mailto:user@example.com
Also, further useful guidance can be found in this guide from the UK's National Cyber Security Centre:
https://www.ncsc.gov.uk/blog-post/protecting-parked-domains
Click here to browse other articles or contact us using a chat icon on the right!