Implementing DMARC (Domain-based Message Authentication Reporting and Conformance) is the best way to defend your customers, your brand, and your employees from phishing and spoofing attacks.
DMARC is built upon two other authentication protocols: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). You should have SPF and DKIM on your Envelope From and Friendly From domains before proceeding with DMARC. (For a refresher on how DMARC works, check out this blog post.)
While the implementation process can get tricky, building your DMARC record doesn’t have to be. Follow the steps below to build your DMARC record in 15 minutes—or less!
Step 1: Verify domain alignment (aka identifier alignment)
Begin by opening the email headers from the emails you send. Identify the domain or subdomain listed in the following places:
- The Envelope From (e.g.., Return Path or Mail-From)
- The “Friendly” From (i.e., “Header” From)
- The d=domain in the DKIM-Signature
Are your domain names identical? If so, then your domains are aligned and you will be able to instruct mailbox providers to reject any malicious emails purporting to be from your brand. If not, you can still proceed to create your DMARC record and work with your messaging, IT, and/or security teams to get aligned.
Step 2: Identify email accounts to receive DMARC reports
Through DMARC, you will receive aggregate and forensic (message level) reports daily. Designate the email account(s) where you want to receive these reports. You may want to use two separate accounts, as you could get inundated with the data.
DMARC reports are very difficult to parse because they are provided in raw format. Partnering with a company like Return Path can help you and your team make sense of them—fast.
Step 3: Learn the DMARC tags|
DMARC tags are the language of the DMARC standard. They tell the email receiver (1) to check for DMARC and (2) what to do with messages that fail DMARC authentication.
There are many DMARC tags available, but you do not have to use them all. In fact, we recommend keeping it simple. Focus on the v=, p=, fo=, rua, and ruf tags. Our recent blog post, Demystifying the DMARC Record breaks down what tags to use and why.
Step 4: Generate your DMARC record with Return Path’s DMARC Creation Wizard
Using our DMARC Creation Wizard, generate a DMARC text record in your DNS for each sending domain. Set the mail receiver policy to “none,” indicating DMARC’s “monitor” mode.
With DMARC in monitor mode, you can gather the information on your entire email ecosystem, including who is sending email on behalf of your brand, what emails are getting delivered, and what emails are not.
Request to receive the daily aggregate and forensic reports by specifying your email address in the rua tag and the ruf tag, respectively. Use the email address(es) you identified in step three above.
Your record should look something like this:
v=DMARC1; p=none; fo=1; rua=mailto:email@example.com;ruf=mailto:firstname.lastname@example.org
Congratulations! You have created your DMARC record. The next step is implementation.
Step 5. Implement your DMARC record into DNS
Work with your DNS server administrator to add your DMARC record to DNS and start monitoring your chosen domain.
That might be your primary domain or a carefully selected test domain. You will start receiving reports and see where email traffic using that domain is coming from. Perhaps you will identify some vendors or partners you didn’t realize were sending on your behalf. Perhaps you will be surprised to find that there is—or isn’t—a significant volume of fraudulent messages using that domain and where those messages are coming from.
To learn about how other companies, industries, and mailbox providers are using DMARC to eliminate the impact of email fraud, download The DMARC Intelligence Report.