Federal agencies that send and receive email using .gov domains must use DMARC for email security to meet the Department of Homeland Security’s Binding Operational Directive (BOD) 18-01. This Getting Started with DMARC: A Guide for Federal Agencies ebook gives you an overview that includes:

  • What DMARC is, how it works, and why federal agencies need to implement it;
  • The benefits of DMARC for your agency and its stakeholders; and
  • A step-by-step approach to correct DMARC implementation.

The Process
Putting DMARC Into Practice

Domain owners that wish to become DMARC-compliant need to perform 3 activities:

1. Publish a DMARC record. To begin collecting feedback from receivers, publish a DMARC record as a TXT record with a domain name of “_dmarc.”:

“v=DMARC1; p=none; rua=mailto:dmarc-feedback@;

Doing so will cause DMARC-compliant receivers to generate and send aggregate feedback to “dmarc-feedback@”. The “p=none” tag lets receivers know that the domain owner is only interested in collecting feedback. Use the DMARC record creator on the Agari website to easily generate the required text: https://www.agari.com/resources/tools/dmarc/

2. Deploy email authentication – SPF and DKIM:

  • Deployment of SPF involves creating and publishing an SPF record that describes all of the servers authorized to send on behalf of an email domain. Small organizations usually have simple SPF records, where complex organizations often maintain SPF records that authorize a variety of data-centers, partners, and 3rd-party senders. DMARC-supplied aggregate feedback can help identify legitimate servers while bootstrapping an SPF record.
  • Deployment of DKIM requires domain owners to configure email servers to insert DKIM-Signatures into email and to publish public keys in the DNS. DKIM is widely available and supported by all major email vendors. DMARC-supplied aggregate feedback can help identify servers that emit email without DKIM signatures.

3. Ensure that Identifier Alignment is met. DMARC-supplied aggregate feedback can be used to identify where underlying authentication technologies are generating authenticated domain identifiers that do not align with the email domain. Correction can be rapidly made once misalignment is identified.

By taking these steps, domain owners can effectively monitor email and make informed security decisions.


The Big Picture
It’s Worth A Thousand Words

Email Before DMARC
Without DMARC, agencies that send email have limited visibility into how domains are being used to send email.

Email After DMARC
DMARC provides visibility into all email traffic and then instructs receivers how to handle unauthenticated emails, all outside of the mail flow.

The Results
A Real-World Example

Before and After DMARC Enforcement

The following chart, showing anonymized views of a customer dashboard, highlights the dramatic impact of implementing DMARC. DMARC is so effective at preventing these malicious email campaigns that the bad guys literally give up trying.

The Best Practice: Gradually Moving to Enforcement

This next chart depicts another campaign targeting new domains. Here, the customer employed a gradual adoption of tighter DMARC policies, just as DMARC was designed to be deployed. Initially, unauthenticated mail volume surpassed 100,000 to 150,000 messages per day. After a Quarantine policy, this was cut to 50,000 or less. The policy was tightened further to a Reject policy, which practically eliminated the volume of unauthenticated email.

Close button
Mail Letter

Would you like the confidence to trust your inbox?