Without DMARC records, email is left vulnerable to attacks. Therefore, you need to create these records if you want to protect your email and avoid being hacked. Learn how to create DMARC records without compromising on security while reading this blog.
The Domain Message Authentication, Reporting and Conformity (DMARC) standard has been a game-changer in the world of email. It has helped online firms verify and authenticate emails from their users. This means that emails from authenticated sources can be marked as known junk instead of getting marked as spam. In addition, emails from unknown senders will not be scanned for malicious intent like the content scanning tools do.
A domain-based Message Authentication, Reporting and Conformance (DMARC) file is a security measure put in place to protect your email traffic. It is imperative to have DMARC enabled on your email servers to protect email campaigns since it defeats the possibility of receiving emails from spammers and phishers by regularly providing you with a DMARC report.
DMARC is an email authentication policy that works on encrypting messages at the domain and client level by sending an email authentication code for every single message in a particular domain. With this technology, there's no possibility of email spoofing or phishing because the email's legitimacy can be verified by the DMARC domain. But, as it exists as a relatively new tool in the security world, not many have grasped the significance of its role.
So to answer why we learn how to create DMARC records, we need to understand the importance of it.
There are several reasons why you should learn how to create a DMARC report for your email campaigns:
1) Preventing Email Spamming - If you're sending emails from your own domain and want them delivered properly, then learning about creating a DMARC record is essential. You can use this information in order not only to prevent spam but also to make sure that all messages sent through any other domains will be authenticated as well.
2) Protecting Your Customers - If you have a business, then the last thing that any of your customers want to see is an email from someone they don't know. They will immediately delete it or mark it as spam, and this can be very damaging for your reputation on social media platforms like Facebook and Twitter.
3) Protecting Your Business' Reputation - It's important to keep in mind that if there are emails being sent out by businesses without proper DMARC records, these could lead people away from their brands because of the possibility of receiving phishing emails.
DMARC is a standard that's managed and administered by the Internet Corporation for Assigned Names and Numbers (ICANN). The process of creating or modifying records to adhere to this standard can be done through your email provider. For example, Gmail has an option where you can create DMARC records directly on their website, but there are also other providers like Yahoo! Mail, Microsoft Outlook etc., which require you to contact them about it.
You will need:
A valid domain name - This should ideally be one that includes both letters from your country as well as numbers in order not only to help prevent spam but also identify the domain as belonging to a single person.
A valid email address - This should be one that's associated with your company or business and not something you use personally. You will also need this in order for them to send you an account verification link once they've sent out emails through your domain name.
The steps are pretty simple:
1) Choose whether you want it delivered on all mail servers, only mail servers within our network (DMARC records are specific to each server), or just those located inside of our organization
2) Checkmark which type of record is being created
3) Fill out the record information as follows:
Domain Name - This is a name that's associated with your domain. For example, if you own "example.com", then this would be the part of it after .com where all subdomains are separated by periods (e.g. sampledomain1@example.net), and any top-level domains or aliases to other companies' names should also be included here in order for them to work properly when sending emails through your domain using DKIM/SPF records too
Email Address - This is an email address that's associated with your company or business. It should not be a personal address that you use on your own email account, as this will make it easier for spammers to find out who's sending the messages and target them with their automated tools.
SPF - This is an optional record that can help prevent mail from being forged by anyone else using a similar domain name or IP address range (e.g., if someone were trying to send spam through "example.com", they would need access to the same servers where DKIM/SPF records are located). If you checkmark this option, then please enter either your company name or your domain name as the value. This is not necessary if you're using a different email service provider.
DKIM - This is an optional record that can help prevent mail from being forged by anyone else using a similar domain name or IP address range (e.g., if someone were trying to send spam through "example.com", they would need access to the same servers where DKIM/SPF records are located). If you checkmark this option, then please enter in either your company name, website's title, product line(s) and/or one of its subdomains as the value. This is not necessary if you're using a different email service provider.
Domain Keys - If you checkmark this option, then please enter either your company name or website's title as the value. This is not necessary if you're using a different email service provider.
Email Aliases - If checked, this will allow any emails sent from that domain to be forwarded through another address (e.g., sampledomain2@example.net), which can help prevent spam and phishing attempts against people who have never signed up for your mailing list or purchased anything from your website. Enter in the email address you wish to use as an alias here. This is not necessary if you're using a different email service provider.
The DMARC record is in the form of a TXT record. You can find the DMARC record for your domain in the "DMARC" tab of DNS Manager.
The following is an example of a DMARC policy: v=DMARK; p=none; rua="smtp-amqp.example.com"; ttl=3600s; nocanonify (1); sasl_mechanism_type="plain"; dmarc (2) = yes
The first line, v, indicates that this message has been verified using DKIM or SPF and contains no special instructions.
The second line, p=none, indicates that this message does not contain any DKIM or SPF tags. This is the default setting if you have not specified a value for either of these.
The third line, rua="SMTP-amqp.example.com", specifies an alternative SMTP server address to which messages should be relayed when they are rejected by your primary MX record due to senders being blacklisted or otherwise using invalid addresses (e.g., those in violation of anti-spam laws). The format is: urn:xmpp:amqp-relay@example.com
The fourth line, ttl=3600s , specifies how long the message should be stored in DNS before being discarded (in seconds). This value is used by a variety of anti-spam tools and can range from 1 to 604800 (1 hour) or more depending on your needs. If you are having problems with some email clients treating messages as spam if they don't expire within their configured time period, try increasing this number. The default setting is 3600s.
The fifth line, nocanonify (1) , indicates that this message should not be processed by any Canonicalization or DomainKeys Identified Mail (DKIM) processing tools. This is the default setting if you have not specified a value for either of these.
The sixth line, sasl_mechanism_type="plain" , specifies how to handle SASL authentication when using plain-text authentication mechanisms such as PLAIN or CRAM-MD5. The format is: urn:XMPP:amqp-relay@example.com; dmarc=yes The seventh line, sasl_mechanism_authtype="plain" , specifies how to handle SASL authentication when using the AUTH command. The format is: urn:XMPP:amqp-relay@example.com; dmarc=yes
The eighth line, tag=<tag> , is the DMARC record tag. The format of this string is: <tag>:<value>
The value can be any text as long as it conforms to RFC 5322 (see http://tools.ietf.org/html/rfc5322 ). For example, if you want all messages with a specific "from" address tagged and sent directly to your spam folder instead of being relayed for further processing by an MX host or other intermediary system that does not support Dmarc-aware relaying then you might use something like : from:<spam-from>; tag=Spam_From
For more information on DMARC record tags, see http://www.dmarcian.com/dmrc/.
If you are using the SASL PLAIN mechanism and want to specify an authentication type other than "plain", such as DIGEST-MD5 or NTLM , then use sasl_mechanism_authtype="digest". If you are using a different authentication method besides plaintext, like TLS or STARTTLS , then use sasl_me chanism_authtype="tls" or sasl_mechanism_authtype="starttls".
If you are using TLS, STARTTLS , or other SASL mechanisms that support multiple authentication types then the value of tag=<value> should be a comma-separated list. For example: urn:xmpp:amqp-relay@example.com; dmarc=yes; tls://hostname/path/to/sasl2 The ninth line, tag=<tag>:<value>, is the DM ARC record tag. The format of this string is: <tag>:<value>
You can add "Value" information to your DMARC record. For example, if you want all messages from a specific sender that do not have the tag Spam_From tagged and sent directly to your spam folder instead of being relayed for further processing by an MX host or other intermediary system that does not support Dmarc-aware relaying then use something like: dmarc=yes; value="from:<spam-sender>"; tag=Spam_Sender
If you are using SASL PLAIN mechanism and want to specify an authentication type other than plaintext , such as DIGEST-MD5 or NTLM, then use sasl_mechanism_authtype="digest". If you are using a different authentication method besides plaintext, like TLS or STARTTLS , then use sasl_me chanism_authtype="tls" or sasl_mechanism _authentication type= "starttls".
If you are using TLS/STARTTLS and other SASL mechanisms that support multiple authentication types then the value of tag=<value> should be a comma-separated list. For example: urn:xmpp:amqp-relay@example.com; dmarc=yes; tls://hostname/path/to/sasl2 The tenth line, tag=<tag>:<value>, is the DM ARC record tag. The format of this string is <tag>:<value>
If you are using an email server that supports DMARC and wants to create records for messages sent from your domain or hosted on your servers, then you can use the following procedure.
1. Create a DMARC record for your domain or hosted Exchange Server environment (e.g., example@example . com). For example: dmarc=yes; value="from:<spam-sender>"; tag=Spam_Sender
2. Add an MX record to your DNS that points directly to the IP address of one of your email servers, such as mailhost1 , and set it up so that all messages from this sender are relayed by MX host mailhost2 . This is known as proper Dmarc relaying configuration . For example: host mailhost1.example . com; dmarc=yes; value="from:<spam-sender>"; tag=Spam_Sender
3. Add another MX record to your DNS that points directly to the IP address of one of your email servers, such as mailhost2 , and set it up so that all messages from this sender are relayed by both hosts (i.e., via Dmarc relay). This is known as proper Dmarc relaying configuration for multiple domains or hosted Exchange Server environments (e.g., you can use this configuration if you have one or more domains hosted by your email server). For example: host mailhost2.example . com; dmarc=yes; value="from:<spam-sender>"; tag=Spam_Sender
4. Create a DMARC record for the domain that is hosting your Exchange Server environment (e.g., example@example . com) and add it to DNS so that all messages from users of this domain are relayed via both hosts (i.e., via Dmarc relay). For example, create an MX record pointing directly to the IP address of one of your email servers, such as mailhost1 . For example: host mailhost1.example . com; dmarc=yes; value="from:<spam-sender>"; tag=Spam_Sender
5. Create a DMARC record for the domain that is hosting your Exchange Server environment (e.g., example@example . com) and add it to DNS so that all messages from users of this domain are relayed via only one host (i.e., via Dmarc relay).
