As a 2019 resolution, we thought we’d share a more pragmatic blog every month to help everyone be more cyber secure. This is the first in that series so read on, we hope you find it interesting and useful!
This blog will walk you through what DMARC is, how you create a DMARC record, how you add it to your DNS using Cloudflare, and finally how you can use OnDMARC as the report processor.
First let’s dispel the myth that SPF and DKIM are pre-requisites – WRONG! You don’t need those in place to get started on your DMARC journey.
Let’s start with explaining what the DMARC protocol is.
DMARC stands for Domain-based Message Authentication, Reporting and Conformance.
It is a protocol that was built in addition to the existing protocols SPF and DKIM. It was designed to protect the domain part of your email address from being used in spoofing or phishing attacks.
For example, in the email address “john@domain.com” the part in bold is the domain.
Authentication in DMARC is achieved by implementing SPF and DKIM for each and every legitimate service sending emails using your domain. For example, if your business uses G Suite, Mimecast, Salesforce and Mailchimp, you will need to set up SPF and DKIM for all of these services. But, DMARC needs to be implemented first in order to gain visibility into all the services that are using your domain.
DMARC provides reporting functionality, which means that by publishing the DMARC record in your DNS, you will start receiving reports showing how your domain is being used and by who around the world. These DMARC reports are sent by the recipients of any emails that use your domain or subdomain as the sending address.
Your DMARC record will include one of three policies that will tell recipients how to treat emails that fail DMARC validation. The initial policy you will begin with is p=none. This is reporting mode where you are gaining visibility into your email environment. At this point your email traffic will not be affected and no emails will be blocked. The aim is to them ramp up your policy to p=quarantine, where emails that fail DMARC will be sent to the spam/junk folder, and finally to p=reject where all fraudulent emails will be blocked.
Now, let’s see what a DMARC record looks like.
To demonstrate what a DMARC record looks like we will use a subdomain called test.ondmarc.com and signup to OnDMARC to generate the record.
Once we login we will have to add our domain and click on Submit.
OnDMARC will analyse the added domain, see whether or not a DMARC record exists for this domain. If no record exists then OnDMARC will generate a unique DMARC record for you to publish in your DNS.
Here is what the different DMARC record tags mean:
Tag | Required | Meaning |
v= | required | Protocol Version |
p= | required | Policy specified |
fo= | optional | Failure reporting policy |
ri= | optional | Reporting interval in seconds |
rua= | optional | Tells recipients to send aggregate reports to this address |
ruf= | optional | Tells recipients to send forensic reports to this address |
For full explanation on the different DMARC record tags and samples check out this link.
Adding the DMARC record in Cloudflare.
Now that we have all the values for our DMARC record that needs to be created let’s go ahead and add it to the DNS for test.ondmarc.com in Cloudflare.
- Log in to Cloudflare
- Select the account under which your domain exists
- Select the domain under which you would like to create the DMARC record
- Click the DNS app as show below.
- You will be presented with the following UI which is where you will create the DMARC record.
- Create and fill in the fields with the values shown by OnDMARC. In our case, the record will look like this:
The record type is TXT
The name of the record must start with “_dmarc” and because it needs to be created under the subdomain of test.ondmarc.com, the name of the record is: _dmarc.test.odmarc.com
The value portion of the record above contains the following which was copied over from OnDMARC.
The TTL is set to 10 minutes which is exactly 600 seconds as suggested by OnDMARC.
- Click on Add Record.
If the DMARC record was correctly configured, OnDMARC will detect it and the Action to create the DMARC record will disappear. Within 24 hours, OnDMARC will begin to receive your DMARC reports, which will be processed and displayed in your account.
For more information on managing DNS records in Cloudflare, please follow this link.
What do raw DMARC reports look like?
An aggregate report is an XML report designed to provide visibility into emails that passed or failed SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
The report provides domain owners with precise insight into:
- The authentication results, and
- The effect of the domain owner’s DMARC policy
The report contains the following:
- The domain or organization that sent the report
- The domain that you are receiving the report for and its current DMARC policy
- Date
- Sending IP address
- Email count
- The disposition of those emails ie. the policy that was applied to those emails by the receiver
- The SPF identifier and result, if any
- The DKIM identifier and result, if any
Here is an example of a daily aggregate report.
<record>
<row>
<source_ip>207.254.111.143</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
</policy_evaluated>
</row>
<identities>
<header_from>test.ondmarc.com</header_from>
</identities>
<auth_results>
<dkim>
<domain>test.ondmarc.com</domain>
<result>pass</result>
<human_result></human_result>
</dkim>
<spf>
<domain>test.ondmarc.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>207.254.111.143</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<result>pass</result>
<human_result></human_result>
</record>
If your domain sends a large volume of emails and it is heavily spoofed you will receive hundreds, if not thousands, of reports daily. You can see how difficult it would be to determine what is a legitimate sender or not from those XML reports. Therefore, it is important to use a report processor such as OnDMARC to receive and process the reports for you.
OnDMARC will provide all the necessary setup instructions for configuring each identified legitimate service correctly with SPF and DKIM so that emails originating from those sending services are DMARC compliant.
To sign up for a 14 day free trial just follow this link.
Summary of the DMARC deployment process
- Use a DMARC report processor such as OnDMARC to generate and create the DMARC record
- Go through the reports and identify any legitimate sending services
- Configure each sending service with SPF and DKIM
- Once all sending services have been identified and configured correctly with SPF and DKIM, you can start ramping up your DMARC policy to either p=quarantine or p=reject. Depending on the size of your company and volume of emails sent from your domain(s) you may decide to ramp up your policy in increments by using the percentage tag in your DMARC record.
As the only integrated cloud email and brand protection platform, Red Sift automates BIMI and DMARC processes, makes it easy to identify and stop business email compromise, and secures domains from impersonation to prevent attacks.
