What is DMARC?
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a specification created by a group of organizations in the email delivery industry. Its purpose is to reduce email abuse by standardizing reporting for email authentication/validation systems.
How do I set it up?
Create an Email Account
You're going to want a dedicated email account @your-domain.com to use for receiving the DMARC reports. We recommend something like firstname.lastname@example.org.
Decide which Tags to use
The entire list of tags are available here in section "Page 46". But it's generally overkill to use all of them. The most important are the v, rua, p, and ruf tags.
Start by Monitoring
By setting the policy tag to "none", you're telling the email receivers not to quarantine or reject your emails, and rather to simply send you a daily aggregate report.
To set this up, add a TXT DNS record to your domain:
v=DMARC1; p=none; rua=mailto:email@example.com
Optionally, you can set "ruf=mailto:firstname.lastname@example.org" to receive a copy of the phished/spoofed email.
After you've monitored your DMARC reports and added SPF/DKIM records to any legitimate 3rd-party sources that were being flagged in the report, it's time to enable quarantine mode.
p=quarantine; in the TXT DNS record you added previously.
This is the final stage, but some people choose to ignore it and leave their DMARC setup in quarantine mode.
To tell your email receivers to reject the spoofed/phished emails, just set
p=reject; in the TXT DNS record you added previously.
Example Deployment Cycle
Using the many DMARC tags, you can really fine-tune your DMARC policy.
Here's an example deployment cycle:
- Monitor all.
- Quarantine 1%.
- Quarantine 5%.
- Quarantine 25%.
- Quarantine 50%.
- Quarantine all.
- Reject 1%.
- Reject 10%.
- Reject 50%.
- Reject all.