Detailed Guide to publish DMARC Record
What is a DMARC???
Domain-based Message Authentication, Reporting, and Conformance (DMARC), is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing. DMARC allows an organization to publish a policy that defines its email authentication practices and provides instructions to receiving mail servers on how to enforce them.
Specifically, DMARC establishes a method for a domain owner to:
- Publish its email authentication practices
- State what actions should be taken on mail that fails authentication checks
- Enable reporting of these actions taken on mail claiming to be from its domain
DMARC itself is not an email authentication protocol, but it builds on key authentication standards like SPF and DKIM. With them, it supplements SMTP because SMTP does not itself include any mechanisms for implementing or defining policies for email authentication.
To learn about email authentication, refer to the link given below:
https://www.sparkpost.com/academy/email-technical/introduction-email-authentication/
Setting up DMARC for your custom domain includes these steps:
· Step 1: Identify valid email sources for your domain.
· Step 2: Configure SPF for your domain
· Step 3: Set up DKIM for your custom domain
· Step 4: Form the DMARC TXT record for your domain
Step 1: Identify valid sources of mail for your domain
There are some considerations for DMARC. We need to identify the valid sources of mail for our domain. When identifying sources of mail for your domain, answer these two questions:
· What IP addresses send messages from my domain?
· For mail sent from third parties on my behalf, will the 5321.MailFrom and 5322.From domains match?
Step 2: Set up SPF for your domain
Now that you have a list of all your valid senders, you can set up SPF to help prevent spoofing. First we need to generate a SPF record, and then we will publish that SPF record in our domain.
You can create your SPF record manually as shown below:
v=spf1 include:(mail server which can send mail from my domain(including third party)) -all
For Example:
v=spf1 include:spf.protection.outlook.com include:test.net -all
where test.net is the domain of my 3rd party email system
Or you can use this website “SPF Generator” to generate your SPF record.
This website looks like this:
Here, you can fill the required fields and can generate an SPF record for your domain:
· The first 2 fields are for “mx” and “a” records. If you want to include these 2 records in your SPF record, click “yes”.
· Then you can either enter an IPv4 address, an IPv6 address, or the hostname..
· In the “Includes” field, you can enter your 3rd party domains which you want to include.
· And in the “Policy” field, you can select if you want to accept an email or reject an email if it fails the SPF checks.
After filling in all the fields, we can generate an SPF record which will look something like this:
As a best practice, ensure that your SPF TXT record will consider your third-party senders.
Now, as we have created a SPF record successfully, we need to publish this SPF record in our domain.
First we need to login to our DNS management console.
I’m showing you the steps on how to publish this SPF record on GoDaddy.com console. You can do the same thing on your DNS console.
Follow these steps:
- Click on the domain in question, then click the DNS button like shown in the picture below.
- If you’ve never created an SPF record on the domain before, click the Add button under the Records section.
- Otherwise you already have an existing SPF record, edit it instead. To check if there is any SPF record, try to find a TXT record with a value starting with v=spf1.
- Select TXT for the Type drop-down menu. Enter @ for the Host field. Enter the SPF record as the TXT Value. Then click the Save button.
Now you have published the SPF record. Due to DNS propagation, if you check the newly published SPF record, it might take up to 1 hour before it appears in whatever tool you use to check it.
You can check your SPF record here.
Step 3: Set up DKIM for your custom domain
For the DKIM Record, we have 2 methods to generate and publish the DKIM Record.
First Method to setup DKIM
· First open this URL to go to the DKIM page of Microsoft Office:
https://security.microsoft.com/dkimv2
or
https://protection.office.com/dkimv2).
· Then Click on the domain you wish to configure DKIM on DKIM page.
· Slide the toggle to Enable. You will see a pop-up window stating that you need to add CNAME records.
· The Domain details flyout with the Create DKIM keys button. Copy the CNAMES shown in the pop up window like shown below:
· Publish the copied CNAME records to your DNS service provider.
On your DNS provider’s website, add CNAME records for DKIM that you want to enable. Make sure that the fields are set to the following values for each:
Record Type: CNAME (Alias)
Host: Paste the values you copy from DKIM page.
Points to address: Copy the value from DKIM page.
TTL: 3600 (or your provider default)
· Return to DKIM page to enable DKIM.
Second Method to setup DKIM
In this method, you again need to first generate a DKIM record, and then you need to publish it in your domain.
You can use this website “DKIM Generator” to create your DKIM Record.
This website looks like this:
Here, we can fill out all of relevant fields here to generate the DKIM record for your domain.
· The first field is for “Domain”, where you just need to enter the domain for which you are creating this DKIM record.
· In “DKIM Selector” field, you’ll have to specify selector names for your key pairs. Selectors tell receiving email servers where to find the public key for each domain. It’s best to make selectors descriptive of what their domain sends. For example, the selector for your email marketing domain could be “marketing.”.
· In the “DKIM Key length” field, you need to select the appropriate key length for your choice.
After filling out all of the relevant fields here, we can generate a DKIM record which will look something like this:
The output shown in above image has given us 2 things:
1. Private Key
2. DKIM Key
We need to Hide the private key, and it should be stored wherever your DKIM package specifies.
And we will publish this DKIM key in our domain.
We’ll need to add a TXT record with “(selector)._domainkey” name to our DNS. Here, in our example, the name will be “anything_of_your_choice._domainkey”.
The value of the record is a specially-formatted version of your DKIM key and some identifying information that tells receivers how to interpret your DKIM key
Step 4: Form the DMARC TXT record for your domain
For creating a DMARC record, we need 2 things:
· Aggregate Email — Send aggregate reports to this system generated email address
· Forensic Email — Send forensic reports to this system generated email address
Then we will create a DMARC record. An example of creating a DMARC record manually is shown below:
v=DMARC1; p=reject; rua=mailto:akshit@gmail.com; ruf=mailto:akshit123@gmail.com; sp=reject;
Where
v = This version is the tag that identifies the records that have been retrieved as DMARC records. Its value must be DMARC1 and listed first in the DMARC record
p = This indicates the requested policy you wish mailbox providers to apply when your email fails DMARC. Options are none, reject, quarantine
None:- means “take no action, just collect data and send the report”
quarantine:- means “treat with suspicion”
reject:- means “block outright”.
pct = percentage of messages on which DMARC policy is to be applied
rua = This is a tag that lets mailbox providers know where you want to send the total report. Aggregate reports provide visibility into the health of your email program by helping identify potential reports or malicious activity.
ruf = This tag lets mailbox providers know where you want to send your forensic (message-level) report.
You can use this website “DMARC Record Generator” to create your DKIM Record.
This website looks like this:
We can fill out all of relevant fields here, which will looks like this:
Now, as we have generated our DMARC Record, now we need to publish this record. For that, we need to login to DNS Management console and publish it under Records.
Here is what it looks like in GoDaddy’s DNS management console:
We have successfully created the DMARC record for our domain. We can check it here if we have created it successfully or not. It may take some time to publish the record, so if you’re not getting the result, you may wait for a while.
I hope you have learned and enjoyed this post!!!!
References:
