Acmetek - Blog
DecemBER 23, 2021
How to set up a DMARC on your domain to get qualified for VMC
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is becoming a more popular method of ensuring the integrity of emails sent from a specific domain. It includes a reporting mechanism that allows senders and recipients to improve and monitor the domain's security against fraudulent email, allowing for safe email communication.
Regrettably, this critical email security feature is not enabled by default for every domain, web host, or email server. Therefore, organizations and email administrators must establish and put up policies for DMARC. While DMARC is not the norm for email servers, it is becoming more popular as the US government and businesses throughout the world implement it.
Fraudsters usually 'forge' or 'fake' email 'From addresses,' making it appear as if it came from your domain. You can publish a DMARC record to prevent abuse using your domain and inform other recipient domains about your outgoing domain policy. This allows email systems that follow the DMARC standards to handle unauthenticated emails. This also aids in the prevention of 'Phishing' activities on your domain, as well as the protection of your domain's reputation.
What are the benefits of DMARC?
DMARC safeguards your company against fraud as well as harmful, faked emails. In order to implement the framework, DMARC allows the email sender and recipient to collaborate. For example, the email sender can establish rules for the receiver to follow when receiving possibly spoofed emails. The receiver can give back reports with information about where the sender's emails came from and the results of SPF and DKIM when checking the authenticity of those emails.
DMARC allows businesses and domain owners to receive reports on the email communications they send across the internet. The DMARC reporting system gives you unique information that you won't find anyplace else. In addition, DMARC offers companies complete control over their email by defining a policy that tells mailbox providers and receiving email systems what to do when they receive a message that claims to be from a specific domain or organization but lacks email authentication mechanisms. Having control over your email messages allows you to build more trust in them and provide more value to the communications you send.
How to qualify your domain for VMC with DMARC? How to set up DMARC?
Set up SPF
One of the simpler aspects of a DMARC deployment to set up and manage is the Sender Policy Framework (SPF). The SPF protocol is used to designate which email exchanges can send emails for a specific domain name.
SPF takes only a single line change to a domain record to work at its most basic level.
Example 1: v=spf1 ip4:220.127.116.11 ip4:18.104.22.168 ip4:x.x.x.x -all
Example 2: v=spf1 ip4:22.214.171.124 ip4:126.96.36.199 include:thirdparty.com -all
An SPF record has several settings that can be used to limit and specify which email exchanges are allowed to send an email on behalf of a domain and how tightly the policy should be enforced.
Set up DKIM
DKIM (Domain Keys Identified Email) is a more extensive and difficult aspect to set up than SPF. In order to use DKIM, companies must make adjustments to their outgoing email servers in addition to a DNS entry.
DKIM is an email authentication standard that signs emails with public/private key cryptography. In addition, it guards against message tampering while in transit.
"standard. domain.example.com" is an example. = the host's name
Use PUTTYGen on Windows.
Use ssh-keygen on Linux/Mac.
This is how it should look: p=YourPublicKey; v=DKIM1
Test DMARC report
Now comes the most crucial part. It's also the most time-consuming of the three. Now you'll need to set up DMARC to start monitoring your current email traffic so you can have a good idea of what's acceptable.
Here's how to get started with DMARC traffic monitoring:
1. Double-check that SPF and DKIM are configured appropriately.
2. Make a DNS entry.
"_dmarc.your domain.com" should be the name of the "txt" DMARC record.
"v=DMARC1;p=none; rua=mailto:dmarcreports@your domain.com" is an example.
Create a "p=none" (monitoring mode) DMARC record in the same way you created SPF and DKIM entries if you handle the DNS for your domain.
If you don't have control over your DNS, have your DNS provider set up the DMARC record for you.
3. Use a DMARC check tool to verify your DMARC record.
DMARC will immediately start creating reports that will provide you with a lot of information about the mail sent through your domain, including any messages flagged by SPF and DKIM.
It's appropriate to start ratcheting up enforcement when you've tested your mail for a long enough period of time and believe you've identified any valid communications that are being tagged as illegal.
"Quarantine" and "reject" are the two enforcement levels in DMARC. Although "Reject" is the safest option and thus our top recommendation, either level will qualify your domain for a VMC.
However, before going directly to rejection, it's best to spend some time in quarantine. Here's how to do it:
1. Go to your DNS server and look for the DMARC entry there.
2. Change the policy from "p=none" to "p=quarantine" in the DMARC record for the selected domain.
3. Add the "pct" flag ( percent of messages subject to filtering). We recommend starting with 10% and gradually increasing the proportion until you've reached 100%.
You're officially VMC-qualified and ready to start rejecting after you've reached 100% filtering.
Fortunately, this is the simplest step:
1. Change "p=quarantine" to "p=reject" in your DMARC record.
Now, You've gained a lot of visibility into the messages sent from your domain, improved security for all users, protected yourself from many phishing assaults, and qualified your domain for a VMC certificate.