By implementing DMARC, SPF, and DKIM, your organization will strengthen email security, improve deliverability, and enhance your brand’s reputation.

This step-by-step guide will help you correctly implement DMARC and safeguard your organization’s email domain.

Start with monitoring mode and gradually enforce stricter policies to gain full control over your domain’s email ecosystem.

What is DMARC?

DMARC is an advanced email authentication protocol to protect your domain against phishing and spoofing attacks. It helps email receivers verify the authenticity of emails by providing:

• A TXT record stored in DNS that validates incoming emails.
• A system for checking if a message “aligns” with what the recipient knows about the sender.
• Three policy options to handle non-aligned messages:
  • p=none (monitor only)
  • p=quarantine (flag as suspicious)
  • p=reject (block unauthorized emails)

For DMARC to function effectively, you need to set up SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) protocols beforehand.

Why is DMARC Essential for Your Organization?

By adopting DMARC, you unlock key benefits for your email communication:

1. Enhanced Security: Prevent phishing and fraud by blocking unauthorized emails.
2. Improved Visibility: Gain detailed insights into who is sending emails from your domain.
3. Higher Deliverability: Increase email deliverability rates by 5-10% and avoid SPAM filters.
4. Brand Protection: Defend your brand from impersonation and cyber threats.

Step 1: Setting Up SPF

What is SPF?
SPF ensures only authorized servers can send emails from your domain. It authenticates by verifying the sender’s IP address.

How to Set Up SPF:

1. Gather IP addresses of servers sending emails from your domain (e.g., web servers, ISP mail servers, etc.).
2. Create an SPF TXT record for each domain.
   • Example: v=spf1 ip4:1.2.3.4 include:mailserver.com -all
3. Publish the SPF record in your DNS.
4. Verify the SPF record using an SPF checker tool.

Step 2: Setting Up DKIM

What is DKIM?
DKIM uses public/private key cryptography to verify emails and ensure they haven’t been tampered with in transit.

How to Set Up DKIM:

1. Choose a DKIM selector (e.g., “standard”).
2. Generate a public-private key pair for your domain.
   • Use tools like PUTTYGen (Windows) or ssh-keygen (Linux/Mac).
3. Publish the public key in your DNS as a TXT record.
   • Example: v=DKIM1; p=YourPublicKey

Step 3: Setting Up DMARC in Monitoring Mode (p=none)

What is DMARC Monitoring Mode?
Monitoring mode allows you to review DMARC reports without enforcing any actions, giving you visibility into email traffic and potential issues.
The reports identify potential failing messages that would be either quarantined or rejected once DMARC is set to full enforcement.
Furthermore, DMARC reports show informations about all systems and services that send emails from the monitored domain.
NOTE: Monitoring mode does not provide any level of enforcement.
Mail that fails authentication is delivered normally, allowing you to avoid potential disruptions while implementing DMARC.

How to Set Up DMARC Monitoring Mode:

1. Ensure SPF and DKIM are correctly configured.
2. Create a DNS TXT record named _dmarc.yourdomain.com.
   • Example: v=DMARC1; p=none; rua=mailto:dmarcreports@yourdomain.com
3. Test the DMARC record using a DMARC checker tool.

Note: Changes may take 24-48 hours to propagate.

Common Tags used in DMARC .txt records

Step 4: Monitor and Evaluate Your DMARC Reports

What Information Do DMARC Reports Provide?

DMARC reports offer crucial insights to domain owners, including:

• The number of fraudulent emails using your domain.
• The sources of these fraudulent emails.
• Whether these emails are blocked under “quarantine” or “reject” policies.

These reports are sent by email receivers in XML format and include details such as:

• A count of messages from each IP address.
• Actions taken based on your DMARC policy.
• SPF and DKIM validation results.

Since XML files can be cumbersome to read, consider using a DMARC report processor for better usability.

4 Ways to Leverage DMARC Reports Effectively

1. Establish a Baseline: Assess how many emails are marked as non-legitimate.
2. Identify Legitimate Emails: Spot legitimate emails flagged incorrectly and determine how they’d be handled under enforcement policies.
3. Communicate with System Owners: Work with relevant stakeholders to verify flagged emails.
4. Update Your SPF Records: Add legitimate IP addresses to your SPF record to prevent false positives.

Step 5: Socialize and Communicate

Why Use DMARC Reports Before Enforcement?

Analyzing DMARC reports is essential to prevent legitimate emails from being blocked or quarantined under enforcement policies. Missing any legitimate senders can lead to delays and complications later.

Here’s how to prepare internally before enabling enforcement:

• Create an Inventory: Identify all email senders from DMARC reports and stakeholder input.
• Categorize Senders: Label them as authorized, unauthorized, or malicious.
• Reach Out to Stakeholders: Ensure no legitimate sender is overlooked.
• Update SPF Records: Add new legitimate IP addresses as needed.

5 Tips for Pre-Enforcement Communication

1. Document Your Implementation Policy: Share a clear plan with stakeholders.
2. Seek DMARC Support: Get external help if the process feels overwhelming.
3. Communicate Regularly: Share findings from DMARC reports promptly.
4. Treat DMARC as a Project: Manage it like an internal initiative with clear goals.
5. Involve Executives: Secure sponsorship from leadership to drive adoption.

How Long Should Monitoring Last?

The monitoring phase duration varies by organization. Enterprises may require weeks or months to ensure all authorized senders are identified, stakeholders are informed, and systems are ready for enforcement.

Step 6: Set DMARC Policy to “Quarantine”
When ready, switch to “quarantine” mode to direct failing messages to users’ spam folders.

How to Enable Quarantine Enforcement

1. Log into your DNS server and locate the DMARC record.
2. Change the policy from “p=none” to “p=quarantine.”
   Example: v=DMARC1; p=quarantine; pct=10; rua=mailto:dmarcreports@your_domain.com
3. Start with a 10% filtering rate (pct=10) and gradually increase it to 100%.

Pro Tip: Incrementally increase the percentage of filtered messages as you gain confidence in your DMARC setup.

Note on BIMI and VMC Standards

To meet BIMI (Brand Indicators for Message Identification) and VMC (Verified Mark Certificates) standards, your DMARC record must be set to pct=100. The policy can be either “quarantine” or “reject.”

Step 7: Set DMARC Policy to “Reject”
The “reject” policy blocks and deletes all unauthorized emails, ensuring they never reach the recipient’s inbox.

How to Set the DMARC Reject Policy

1. Access your DNS console and open your DMARC record.
2. Change the policy from “p=quarantine” to “p=reject.”
   Example: v=DMARC1; p=reject; pct=100; rua=mailto:dmarcreports@your_domain.com
3. Save the updated record.

Important: Continuously monitor this stage to ensure no legitimate emails are accidentally rejected.

What Happens to Rejected Emails?

Emails failing the DMARC check are blocked or deleted without notification to the recipient. This is the highest enforcement level, ensuring maximum protection against spoofed emails.

Confused?
If you're using our email and DNS services, let's try our professional DMARC setup and configuration service!