DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email security protocol that helps prevent fake emails (phishing or spam) from being sent on behalf of your domain. It ensures that only authorized parties can send emails that appear to come from your domain. Here's how to easily set up DMARC:
1. Understand the Basics
To set up DMARC, you need to consider three key elements:
- SPF (Sender Policy Framework): This checks whether a sender is authorized to send email on behalf of your domain.
- DKIM (DomainKeys Identified Mail): This adds a digital signature to the email to verify its authenticity.
- DMARC: This brings both together and tells email servers how to handle emails that don't comply with SPF or DKIM rules.
2. Check your SPF and DKIM
Before setting up DMARC, make sure your SPF and DKIM are configured correctly:
- SPF: You need to set up an 'SPF record' in your domain's DNS (domain name server). This is a line of text that specifies which servers are allowed to send emails on behalf of your domain.
- DKIM: This also requires a DNS record containing a cryptographic key, which is used to digitally sign your emails.
3. Set up DMARC
Now that your SPF and DKIM are working, you can set up DMARC via a 'DMARC record' in your DNS. This is a TXT record that you add to your domain and looks something like this:
v=DMARC1; p=none; rua=mailto:reports@yourdomain.nl; ruf=mailto:reports@yourdomain.nl; pct=100Let's explain this simply:
- v=DMARC1 This indicates that this is a DMARC record.
- p=none This tells you what to do with an email that doesn't meet DMARC rules. The options are:
- none: Do nothing, just report.
- quarantine: Mark suspicious emails as spam.
- reject: Reject emails that don't meet the requirements.
- rua=mailto:reports@yourdomain.nl: This is the email address where you'll receive a report of all emails sent through your domain, both successful and failed.
- ruf=mailto:reports@yourdomain.nl: This provides a more detailed report for each failed email (optional).
- pct=100: This determines what percentage of emails should meet DMARC rules. At 100%, all emails are checked.
4. Monitor first (p=none)
Start by setting 'p=none', which means you only receive reports and don't take action on emails that fail. This helps you see how many emails don't meet SPF or DKIM rules, without the risk of legitimate emails being blocked.
5. Analyze the reports
Once you receive the reports, check who is trying to send emails on behalf of your domain. If all goes well, you should only see authorized servers in the reports. If there are any unknown senders, you should address them.
6. Set stricter rules
Once you're sure your email system is working properly, you can make the DMARC rule stricter:
- Change 'p=none' to 'p=quarantine' to send suspicious emails to spam.
- Finally, you can set 'p=reject' to completely block unauthenticated emails.
7. Continue Monitoring
Even after fully configuring DMARC, it's important to continue checking the reports. This ensures your domain remains secure and that only authorized emails are accepted.
Summary
1. Ensure SPF and DKIM are working.
2. Add a DMARC record in your DNS.
3. Start with 'p=none' and analyze the reports.
4. Gradually increase the strictness to 'p=quarantine' and 'p=reject'.
5. Continue monitoring the reports for security.