The best way to defend and protect your clients or customers, you company name or brand and your employees from phishing and spoofing attachks it to implement DMARC (Domain-based Message Authentication Reporting and Conformance). DMARC is built upon two other authentication protocols: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). You should have SPF and DKIM on your Envelope From and Friendly From domains before proceeding with DMARC.
Follow the steps below to build your DMARC record:
Step 1: Verify domain alignment
Open the email headers from the emails you send. Identify the domain or subdomain listed in the following places:
- The Envelope From (e.g.., Return Path or Mail-From)
- The “Friendly” From (i.e., “Header” From)
- The d=domain in the DKIM-Signature
If the domain names are identical then your domains are aligned and you will be able to instruct mailbox providers to reject any malicious emails purporting to be from your brand. If not, you can still proceed to create your DMARC record and work with your messaging, IT, and/or security teams to get aligned.
Step 2: Identify email accounts to receive DMARC reports
You will receive aggregate and forensic (message level) reports daily. Designate the email account(s) where you want to receive these reports. You may want to use two separate accounts, as you could get inundated with the data.
DMARC reports are very difficult to parse because they are provided in raw format.
Step 3: Learn the DMARC tags|
DMARC tags will tell the email receiver (1) to check for DMARC and (2) what to do with messages that fail DMARC authentication.
There are many other DMARC tags available, but you do not have to use them all. Just keep it simple and focus on the v=, p=, fo=, rua, and ruf tags.
Step 4: Generate your DMARC record with Return Path’s DMARC Creation Wizard
Use this DMARC Record Assistant, generate a DMARC text record in your DNS for each sending domain. Set the mail receiver policy to “none,” indicating DMARC’s “monitor” mode.
With DMARC in monitor mode, you can gather the information on your entire email ecosystem, including who is sending email on behalf of your brand, what emails are getting delivered, and what emails are not.
Request to receive the daily aggregate and forensic reports by specifying your email address in the rua tag and the ruf tag, respectively. Use the email address(es) you identified in step three above.
Your record should look something like this:
v=DMARC1; p=none; fo=1; rua=mailto:dmarc_reportagg@domain.com;ruf=mailto:dmarc_reportafrf@domain.com
You now have created your DMARC record. The next step is implementation.
Step 5. Implement your DMARC record into DNS
Contact your DNS server administrator to add your DMARC record to DNS and start monitoring your chosen domain.
Add it to your primary domain or a carefully selected test domain that you want. Sooner you will start receiving dmarc reports emails and see where email traffic using that domain is coming from. This will perhaps help you identify some vendors or partners you didn’t realize were sending and predtending on your behalf. Yo migh be surprised to find that there is—or isn’t—a significant volume of fraudulent messages using that domain and where those messages are coming from.
dmarc_report@domain.com
