We’ll explain how to configure DMARC for your company’s email, including what you’ll need and how to add DMARC to your DNS. Just follow these DMARC setup steps!
Before we begin, here’s a high-level overview of how to add DMARC to your DNS.
For more details, read on. Or skip to the step-by-step instructions.
Thanks to its sheer ubiquity and undeniable usefulness, email has never been more important. But it has also never been secure, thanks to one critical flaw: Anyone can send email using someone else’s identity. And that single fact has made email a $700 million-a-month bonanza for cybercriminals who spoof corporate email accounts to impersonate top executives and trusted brands in phishing scams targeting employees, customers, and the general public.
These aren’t just one-off attacks anymore, either. We’ve reported extensively on the increasingly sophisticated ways imposters are posing as suppliers to defraud entire corporate supply chains. Today, email impersonations account for more than half of all Internet-related business losses, and are implicated in 67% of all data breaches.
But the damage done from these attacks extends far beyond their immediate victims. Get impersonated, and your company can face lost business, lawsuits, and steep regulatory fines. What’s more, negative news stories and social media tirades over crimes committed in your brand’s good name can render your legitimate, revenue-generating emails all kinds of toxic, if they aren’t blacklisted all together.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) helps organizations prevent all this from happening. Here’s how.
First introduced in 2012 by a consortium of industry leaders, DMARC is an open standard authentication protocol that works with SPF and DKIM to prevent the fraudulent use of legitimate brands in email attacks. More than 2.5 billion mailboxes are DMARC-enabled worldwide.
At its most essential, DMARC enables email receiver systems to recognize when an email isn’t coming from a specific brand’s approved senders, and gives the brand the ability to tell receivers systems what to do with these unauthorized emails.
With DMARC in place, you can:
When you set a DMARC enforcement policy for your organization, you are instructing email receiving systems what to do when email purporting to come from your approved domains fails authentication. These policies include:
DMARC uses DNS as the mechanism for policy publication. DMARC records are hosted as TXT DNS records in a DMARC specific namespace, which is created by prepending “_dmarc” to the email domain.
For example, if the email domain “example.com” publishes a DMARC record, issuing a DNS query for the TXT record at “_dmarc.example.com,” will retrieve the DMARC record.
Email receiver systems use the policies published to inform how they process emails purporting to come from the sender’s email domain.
You should have SPF and DKIM deployed and authenticating messages for at least 48 hours before setting up DMARC. Then, you can follow these DMARC setup steps to add DMARC to your DNS.
Step 1: Create a DMARC Record
This example record instructs receiver systems to generate and send aggregate feedback to “dmarc-feedback@” your domain. The p=none tag indicates you are only interested in collecting feedback. Alternatively, you could use a p=quarantine, or p=reject tags for emails that fail authentication.
Step 2: In your DNS, follow these DMARC setup steps to create a DNS TXT record
Step 3: In the Type box, select TXT Record Type
Step 4: In the Host Value box, enter _dmarc as the “host”
Step 5: In the TXT Value box, enter the record you created using the DMARC Record Creator
Step 6: Save the DMARC record
Step 7: Validate the DMARC setup
Setting up DMARC in DNS only takes a few minutes. But to be effective against brand impersonation, DMARC must be set to its highest enforcement level, p=reject. And while this is relatively straightforward when you’re talking about a single domain, it can be complicated and time consuming for organizations with thousands of domains spanning dozens of email senders and outside email distribution partners.
However, when deployed using automated DMARC implementation solutions such as Agari Brand Protection, large organizations have been able to rapidly drive phishing-based brand impersonations to near zero. Not only does this preserve brand reputation and the efficacy of revenue generating email programs, it also protects employees, customers, partners and the general public from costly email scams.
For more information on DMARC adoption and its benefits, download Getting Started with DMARC from Agari.