How to set up DMARC mail protection?

There are many threats waiting for email users these days. These include, for example, a common SPAM, phishing of personal data and impersonation of a user's email address. One of the easier ways to minimize such threats is to have SPF and DKIM records in the DNS zone. It is good practice to extend this protection by adding a DMARC record, which will be shown in this article.

About the SPF, DKIM and DMARC records

1. SPF (Sender Policy Framework) - "ties" the domain to a specific server(s). It determines from which server(s) mail can be sent from a particular domain. This record works within the DNS service, which is responsible for identifying the mail server(s) correctly. It allows for correct verification of the message at the recipient.
Sample SPF record: v=spf1 +a +mx +ip4:136.243.110.88 ~all 

2. DKIM (DomainKeys Identified Mail) - when sending an e-mail, it is signed with a special key. When receiving the message, the recipient's server communicates with your domain's DNS records and checks the signature. DKIM does not allow to fake you in the Internet. 
Sample DKIM record: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGIV4qmWRY9XWyWdgfpC900bXScRVCJY1lnItlw91gnJzsO97aDypWA4jIeqjadlLSEiXHaNouaGyWfSQvFkbeuEGrxZCHGpPFUlPrFp5AaQ02/p3laQK+Sx2E/
jdeclvOtX7MU2D3GTKNjR6loRk3+QlzIouWVpPKQig3w1DF0o7q6d4Y32Kc5k+XUYATZXiPA1i5Q8OfMgDEJ5Es++8dTNtP8xJ5k7mLLvtxmxhTz5QEsRiSBCynDm5FLVMWDuPttlYKfNxonsYzj+HnTq3YTuRhHod1BckAvRT
Bu1SWfbLnxaCSYiI2ExqxKrU71UyILtmG9dm/0gT6ctIX3bNQIDAQAB;

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance) was created to improve safety even further. This record allows the owner of the domain to determine the rules telling the mailbox how to deal with suspicious messages sent from a given domain. This is an initiative that companies such as Google, Facebook, PayPal or Amazon are working on and using. DMARC combines both SPF and DKIM and offers additional security.

Here are typical tags used in TXT DMARC records:

Tag name

Required

Purpose

Przykład

v

Required

Protocol version

v=DMARC1

p

Required

Domain rules

p=quarantine

pct

Optional

Percentage of messages to be filtered

pct=20

rua

Optional

URI for the delivery of summary reports

rua=mailto:doe@thecamels.org

sp

Optional

Rules for domain subdomains

sp=reject

aspf

Optional

SPF regulation mode

aspf=r



Only the most popular tags are listed here, the rest can be found on the DMARC Tag Register page.

Only v (version) and p (rules) tags are required. There are three settings for rules (rules instructions for messages):

  • none - do not take any action. Record relevant messages only in a daily report.
  • quarantine - mark captured messages as spam.
  • reject - cancel messages.

It is worth adding an email address to the optional rua tag, which will allow you to receive daily reports.

How to set DMARC?

1. If you don't know where to find the DNS zone editor, check our guide.

2. Then click the "down arrow" at the Add record button. Select "Add DMARC record" from the drop-down list. You will see the basic view of adding a DMARC record, but unfortunately, it limits our options. Therefore, click "Optional Parameters" to display all available options. Below we will describe the basic configuration of the record:

Setuping DMARC

  • Policy - set to None, this will allow no action to be taken, but all events will be recorded,
  • Subdomain Policy - set to None, the same action as above, only that for subdomains,
  • DKIM Mode SPF Mode - keep Relaxed,
  • Percentage - set to 100, this is the percentage of messages that will be filtered,
  • Generate Failure Reports When - choose Any Check Fails,
  • Report Format - can be selected at will. Both reports are user-friendly,
  • Report Interval - set 86400 value, it means 24 hours,
  • In the last two fields, enter the email address to which notifications and reports should be sent,
  • Press the "Add record" button to make changes.

This is the most basic configuration, everyone should adjust it to their needs.

Keep in mind that every change in the DNS zone is followed by so-called DNS propagation.

DMARC, SPF, DKIM, poczta email


Also Read