PART 3 – DMARC
Currently, the three protocols you need to put into place to secure and authorize your email are SPF, DMARC and DKIM. This post will talk about creating a DMARC record. Without a DMARC record, and attacker can easily impersonate your domain and make any email look like it came from your account.
DMARC stands for Domain based Message Authentication, Reporting and Conformance – it is a protocol built on top of existing SPF and DKIM protocols. DMARC does a couple of things:
- It reads the results from SPF and DKIM
- It requires SPF AND DKIM to pass AND the domain used by both of those protocols has to be the same as the domain found in the ‘From’ address in order for DMARC to pass
- Reports SPF, DKIM and DMARC results back to the domain found in the ‘From’ address
- Tells receivers how to treat emails that fail the DMARC validation by specifying the policy in the DNS record
You will need to check with your hosting provided on the proper settings for a DMARC records. For example, with GoDaddy, you add a TXT record but make sure the host portion is “_dmarc”. Adding the actual DMARC record is probably best explained by showing an example record:
v=DAMRC1; p=quarantine; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; adkim=r; aspf=r; rf=afrf
- The “p” option has three choices: none, quarantine, or reject. This sets how the email should be handled if it violates the policy. You may want to start off with quarantine to test your record first and then move to reject when you are comfortable your settings are correct
- The “adkim” and “aspf” options define how strictly DKIM and SPF policy should be applied – “s” indicates strict and “r” indicates relaxed.
- The “rua” option provides an address for aggregate data reports and the “ruf” provides and address for forensic reports.
Once you have all of the records in place, head on over to https://appmaildev.com and just follow the instructions to test your records.