• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

Red Sift Blog

Red Sift Blog
  • redsift.com
  • Featured
  • Who are we?
  • Get in touch
You are here: Home / Email / DMARC / What is a DMARC record and how do I add it to my DNS?

What is a DMARC record and how do I add it to my DNS?

by Ivan Kovachev
February 6, 2019August 16, 2022Filed under:
  • DMARC

As a 2019 resolution, we thought we’d share a more pragmatic blog every month to help everyone be more cyber secure. This is the first in that series so read on, we hope you find it interesting and useful!

This blog will walk you through what DMARC is, how you create a DMARC record, how you add it to your DNS using Cloudflare, and finally how you can use OnDMARC as the report processor.

First let’s dispel the myth that SPF and DKIM are pre-requisites – WRONG! You don’t need those in place to get started on your DMARC journey.

Let’s start with explaining what the DMARC protocol is.

DMARC stands for Domain-based Message Authentication, Reporting and Conformance.

It is a protocol that was built in addition to the existing protocols SPF and DKIM. It was designed to protect the domain part of your email address from being used in spoofing or phishing attacks.

For example, in the email address “john@domain.com” the part in bold is the domain.  

Authentication in DMARC is achieved by implementing SPF and DKIM for each and every legitimate service sending emails using your domain. For example, if your business uses G Suite, Mimecast, Salesforce and Mailchimp, you will need to set up SPF and DKIM for all of these services. But, DMARC needs to be implemented first in order to gain visibility into all the services that are using your domain.

DMARC provides reporting functionality, which means that by publishing the DMARC record in your DNS, you will start receiving reports showing how your domain is being used and by who around the world. These DMARC reports are sent by the recipients of any emails that use your domain or subdomain as the sending address.

Your DMARC record will include one of three policies that will tell recipients how to treat emails that fail DMARC validation. The initial policy you will begin with is p=none. This is reporting mode where you are gaining visibility into your email environment. At this point your email traffic will not be affected and no emails will be blocked. The aim is to them ramp up your policy to p=quarantine, where emails that fail DMARC will be sent to the spam/junk folder, and finally to p=reject where all fraudulent emails will be blocked.

Now, let’s see what a DMARC record looks like.

To demonstrate what a DMARC record looks like we will use a subdomain called test.ondmarc.com and signup to OnDMARC to generate the record.

Once we login we will have to add our domain and click on Submit.

OnDMARC will analyse the added domain, see whether or not a DMARC record exists for this domain. If no record exists then OnDMARC will generate a unique DMARC record for you to publish in your DNS.

Here is what the different DMARC record tags mean:

Tag   RequiredMeaning
v=             requiredProtocol Version
p=requiredPolicy specified
fo=optionalFailure reporting policy
ri=optionalReporting interval in seconds
rua=optionalTells recipients to send aggregate reports to this address
ruf=optionalTells recipients to send forensic reports to this address

For full explanation on the different DMARC record tags and samples check out this link.

Adding the DMARC record in Cloudflare.

Now that we have all the values for our DMARC record that needs to be created let’s go ahead and add it to the DNS for test.ondmarc.com in Cloudflare.

  1. Log in to Cloudflare
  2. Select the account under which your domain exists
  3. Select the domain under which you would like to create the DMARC record
  1. Click the DNS app as show below.
  1. You will be presented with the following UI which is where you will create the DMARC record.
  1. Create and fill in the fields with the values shown by OnDMARC. In our case, the record will look like this:

The record type is TXT

The name of the record must start with “_dmarc” and because it needs to be created under the subdomain of test.ondmarc.com, the name of the record is: _dmarc.test.odmarc.com

The value portion of the record above contains the following which was copied over from OnDMARC.

The TTL is set to 10 minutes which is exactly 600 seconds as suggested by OnDMARC.

  1. Click on Add Record.

If the DMARC record was correctly configured, OnDMARC will detect it and the Action to create the DMARC record will disappear. Within 24 hours, OnDMARC will begin to receive your DMARC reports, which will be processed and displayed in your account.

For more information on managing DNS records in Cloudflare, please follow this link.

What do raw DMARC reports look like?

An aggregate report is an XML report designed to provide visibility into emails that passed or failed SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).

The report provides domain owners with precise insight into:

  • The authentication results, and
  • The effect of the domain owner’s DMARC policy

The report contains the following:

  • The domain or organization that sent the report
  • The domain that you are receiving the report for and its current DMARC policy
  • Date
  • Sending IP address
  • Email count
  • The disposition of those emails ie. the policy that was applied to those emails by the receiver
  • The SPF identifier and result, if any
  • The DKIM identifier and result, if any

Here is an example of a daily aggregate report.

<record>

<row>

<source_ip>207.254.111.143</source_ip>

<count>1</count>

<policy_evaluated>

<disposition>none</disposition>

</policy_evaluated>

</row>

<identities>

<header_from>test.ondmarc.com</header_from>

</identities>

<auth_results>

<dkim>

<domain>test.ondmarc.com</domain>

<result>pass</result>

<human_result></human_result>

</dkim>

<spf>

<domain>test.ondmarc.com</domain>

<result>pass</result>

</spf>

</auth_results>

</record>

<record>

<row>

<source_ip>207.254.111.143</source_ip>

<count>1</count>

<policy_evaluated>

<disposition>none</disposition>

 <result>pass</result>

<human_result></human_result>

</record>

If your domain sends a large volume of emails and it is heavily spoofed you will receive hundreds, if not thousands, of reports daily. You can see how difficult it would be to determine what is a legitimate sender or not from those XML reports. Therefore, it is important to use a report processor such as OnDMARC to receive and process the reports for you.

OnDMARC will provide all the necessary setup instructions for configuring each identified legitimate service correctly with SPF and DKIM so that emails originating from those sending services are DMARC compliant.

To sign up for a 14 day free trial just follow this link.

Summary of the DMARC deployment process

  1. Use a DMARC report processor such as OnDMARC to generate and create the DMARC record
  2. Go through the reports and identify any legitimate sending services
  3. Configure each sending service with SPF and DKIM
  4. Once all sending services have been identified and configured correctly with SPF and DKIM, you can start ramping up your DMARC policy to either p=quarantine or p=reject. Depending on the size of your company and volume of emails sent from your domain(s) you may decide to ramp up your policy in increments by using the percentage tag in your DMARC record.

As the only integrated cloud email and brand protection platform, Red Sift automates BIMI and DMARC processes, makes it easy to identify and stop business email compromise, and secures domains from impersonation to prevent attacks. 

Red Sift find out more

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Tagged:
  • DMARC
  • DNS
  • Email
  • How to

Post navigation

Previous Post Memory like a goldphish? The problem with short-term approaches to cyber attacks
Next Post The many guises of a phishing attack

Primary Sidebar

Subscribe to our blog and be the first to get updates!

Categories

  • AI
  • BEC
  • BIMI
  • Brand Protection
  • Coronavirus
  • Cybersecurity
  • Deliverability
  • DMARC
  • DORA
  • Email
  • Finance
  • Labs
  • News
  • OnINBOX
  • Partner Program
  • Red Sift Tools
  • Work at Red Sift
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • October 2016

Copyright © 2023 · Milan Pro on Genesis Framework · WordPress · Log in