What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a tool that helps prevent domain spoofing and phishing. However, implementing DMARC can be complex especially when transitioning from a monitoring (p=none) to a strict enforcement (p=reject) policy. Since this process can be tedious, it can be easy to make mistakes. Potential delivery issues can arise if you rush into the high level of DMARC too quickly. Having a DMARC record set to at least p=none is now required by mailbox providers like Gmail and Yahoo for senders sending more than 3k messages a day.
This guide will help you increase your DMARC record gradually from p=none to p=reject while minimizing the risk of delivery issues.
Step 1: Assess where you currently send mail with your domain (it may be more than one place)
Before making any changes to your DMARC policy, thoroughly evaluate your current email setup. Understand which domains and subdomains are sending emails on behalf of your organization. In other words, where are all the places you send mail from with the domain you are trying to increase DMARC for?
Step 2: Set Up DMARC with p=none
Start by creating a DMARC record for your domain with the policy set to p=none. This policy instructs receiving mail servers to monitor email authentication but not to take any action based on the DMARC policy. Use a DMARC record like the following example:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]"
Replace "example.com" with your domain name. The "rua" and "ruf" tags specify where DMARC reports should be sent to. We recommend using an inbox that you don’t mind being pretty full of DMARC related mail. These reports are meant to explain what's happening when mail doesn't pass DMARC.
Step 3: Monitor DMARC Reports
DMARC reports can often be difficult to read and analyze. There are quite a few free options available online to help senders understand their DMARC reports. We recommend googling “free DMARC analyzer” and finding a tool that works best for you. Once you are familiar with the DMARC reports analyze them to identify any unauthorized senders or sources that fail authentication.
Step 4: Gradually Increase Your DMARC Policy
As you gain confidence in your email authentication setup and ensure that legitimate senders pass authentication, gradually increase the DMARC policy from p=none to p=quarantine and then to p=reject.
We recommend taking the following steps and sending with each setting for a couple of weeks before increasing to the next level.
Change the DMARC policy to p=quarantine: This policy says that if the email sent from your domain fails DMARC, then send the email to the recipient's spam or junk folder. Use caution when transitioning to this policy to avoid emails landing in the spam folder on accident.
Change the DMARC policy to p=reject: The policy says that if emails sent from your domain fail DMARC, then mail will be rejected (which means they’ll bounce). Before implementing this policy, ensure that all legitimate senders pass authentication and that essential emails are not inadvertently blocked.
Step 5: Monitor and Adjust
It’s a good practice to monitor DMARC reports and overall deliverability after implementing stricter DMARC policies. Adjust your policies as needed to address any issues or false positives that may arise. Regularly review reports to identify and address any anomalies or unauthorized senders.
What Could Happen If DMARC Isn't Increased Correctly?
Setting up DMARC too quickly before allowing yourself to monitor can cause legitimate mail to be blocked or sent to the spam folder.
Phishing and Spoofing Attacks: Without proper DMARC enforcement, malicious spammers can exploit vulnerabilities in email authentication to impersonate your domain and conduct phishing or spoofing attacks against your customers or partners.
Damage to Brand Reputation: Falling victim to phishing attacks due to a lack of DMARC implementation can damage your business’'s reputation and cause distrust with subscribers.
While DMARC implementation can feel overwhelming it is a crucial piece of security for domain and brand. These steps can help you safely and effectively add DMARC. If you feel like you need help please reach out to our support team and they’ll help your question get to the right place!