We'll explain how to configure DMARC for your company's email, including what you'll need and how to add DMARC to your DNS. Just follow these DMARC setup steps!
Before we begin, here’s a high-level overview of how to add DMARC to your DNS.
- Add your DMARC record into your DNS
- Select the TXT record type
- Add the host value (see details below)
- Add the value information (see details below)
- Save the DMARC record
- Validate the DMARC setup (see details below)
For more details, read on. Or skip to the step-by-step instructions.
Thanks to its sheer ubiquity and undeniable usefulness, email has never been more important. But it has also never been secure, thanks to one critical flaw: Anyone can send email using someone else's identity. And that single fact has made email a $700 million-a-month bonanza for cybercriminals who spoof corporate email accounts to impersonate top executives and trusted brands in phishing scams targeting employees, customers, and the general public.
These aren't just one-off attacks anymore, either. We've reported extensively on the increasingly sophisticated ways imposters are posing as suppliers to defraud entire corporate supply chains. Today, email impersonations account for more than half of all Internet-related business losses, and are implicated in 67% of all data breaches.
But the damage done from these attacks extends far beyond their immediate victims. Get impersonated, and your company can face lost business, lawsuits, and steep regulatory fines. What's more, negative news stories and social media tirades over crimes committed in your brand's good name can render your legitimate, revenue-generating emails all kinds of toxic, if they aren't blacklisted all together.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) helps organizations prevent all this from happening. Here's how.
First introduced in 2012 by a consortium of industry leaders, DMARC is an open standard authentication protocol that works with SPF and DKIM to prevent the fraudulent use of legitimate brands in email attacks. More than 2.5 billion mailboxes are DMARC-enabled worldwide.
At its most essential, DMARC enables email receiver systems to recognize when an email isn't coming from a specific brand's approved senders, and gives the brand the ability to tell receivers systems what to do with these unauthorized emails.
With DMARC in place, you can:
- Authenticate all legitimate email messages and sources for your email-sending domains, including those from your own infrastructure, as well as those sent by business units and third-party email partners
- Instruct email providers what to do with unauthenticated email messages by establishing a DMARC enforcement policy
- Gain visibility into the legitimate and fraudulent uses of your domains, so you can work with takedown venders to stop cybercriminals from hijacking your brand in email scams
What is a DMARC Enforcement Policy?
When you set a DMARC enforcement policy for your organization, you are instructing email receiving systems what to do when email purporting to come from your approved domains fails authentication. These policies include:
- p=none: Email is delivered to its intended recipient without restriction
- p=quarantine: Email that fails authentication is sent to the intended recipient's junk folder
- p=reject: Email that fails authentication gets deleted and never reaches its intended recipient
The Mechanics of DMARC
DMARC uses DNS as the mechanism for policy publication. DMARC records are hosted as TXT DNS records in a DMARC specific namespace, which is created by prepending "_dmarc" to the email domain.
For example, if the email domain "example.com" publishes a DMARC record, issuing a DNS query for the TXT record at "_dmarc.example.com," will retrieve the DMARC record.
Email receiver systems use the policies published to inform how they process emails purporting to come from the sender's email domain.
DMARC Setup Steps for Your DNS
You should have SPF and DKIM deployed and authenticating messages for at least 48 hours before setting up DMARC. Then, you can follow these DMARC setup steps to add DMARC to your DNS.
Step 1: Create a DMARC Record
- Use Agari's DMARC Setup Tool to easily create the required TXT record. It should look something like this example:V=DMARC1; p=none; rua=mailto:[email protected]
This example record instructs receiver systems to generate and send aggregate feedback to "[email protected]" your domain. The p=none tag indicates you are only interested in collecting feedback. Alternatively, you could use a p=quarantine, or p=reject tags for emails that fail authentication.
Step 2: In your DNS, follow these DMARC setup steps to create a DNS TXT record
- Log into the management console of your DNS hosting provider, and while this can vary by provider, you want to locate the page that allows you to add a DNS TXT record
Step 3: In the Type box, select TXT Record Type
Step 4: In the Host Value box, enter _dmarc as the "host"
Step 5: In the TXT Value box, enter the record you created using the DMARC Record Creator
Step 6: Save the DMARC record
Step 7: Validate the DMARC setup
- Use Agari's DMARC Setup Tool to verify that DMARC has been set up correctly
Taking DMARC to Scale
Setting up DMARC in DNS only takes a few minutes. But to be effective against brand impersonation, DMARC must be set to its highest enforcement level, p=reject. And while this is relatively straightforward when you're talking about a single domain, it can be complicated and time consuming for organizations with thousands of domains spanning dozens of email senders and outside email distribution partners.
However, when deployed using automated DMARC implementation solutions such as Agari DMARC Protection, large organizations have been able to rapidly drive phishing-based brand impersonations to near zero. Not only does this preserve brand reputation and the efficacy of revenue generating email programs, it also protects employees, customers, partners and the general public from costly email scams.
For more information on DMARC adoption and its benefits, download Getting Started with DMARC.