DMARC Deployment Guide

DMARC is a very important security feature you should be enabling in your organization or company. It protects malicious users from trying to spoof your domain. For more information on what DMARC is, and how your organization will benefit from it please read this blog post from a few months ago. https://www.clusterednetworks.com/blog/post/domain-spoofing-protect-your-domain.

STEP 1 - Roll Out DMARC Gradually

DMARC is designed to be rolled out gradually, otherwise you could break your email flow process for your organization.

To begin with make sure you have your DKIM and SPF Settings as accurate as possible and make sure your email is flowing properly. This set is very important to have all of your ducks in a row BEFORE you enable DMARC.

In deploying DMARC, your ultimate goal will be to start with a "none" (p=none) policy that only monitors email flow, and then eventually change to a policy to quarantine (p=quarantine) and then reject (p=reject) that will handle all unauthenticated messages properly.

A none policy lets you start getting reports without the risk of your messages being rejected or sent to spam by receiving servers. You can also set your DMARC policy to apply only to a percentage of the messages sent from your organization. These two features let you deploy DMARC gradually, while remaining in control of your mail flow. (e.g pct=25 then pct=50 then pct=75 then pct=100)



STEP 2 - Start with a relaxed DMARC policy (p=none)

Start with a DMARC record with enforcement set to none, and an email address configured to get daily DMARC reports. This lets you start getting reports without risking messages from your domain being rejected or marked as spam by receiving servers. We recommend using this record for at least one week. One week is usually long enough for the daily reports to contain data that is representative of all your mail streams.

Review your daily DMARC reports to verify that messages from your domain are sent by known authorized servers, and pass authentication checks. Be sure to watch for mail from other scources such as your webserver or perhaps a marketing campaign such as "constant contact" "Mail Chimp" or some other cloud based service your organization may use.

We recommend you start with a DMARC policy isn’t too restrictive or that applies to only a small percentage of your mail traffic, for example:

Sign in to your domain host to update the DMARC DNS TXT record at your domain provider. Enter a policy that applies to 100% of messages but has enforcement set to none: v=DMARC1; p=none; rua=mailto:[[email protected]]

The policy is applied to 100% of all messages received by mail servers. However enforcement is set to none, so messages are delivered normally, even when they don’t pass DMARC authentication. Every mail server that gets mail from your domain sends daily reports to [[email protected]]

STEP 3 - Review DMARC reports

Each day, review the reports you receive to find out:

  • What servers or third-party senders are sending mail for your domain
  • What percent of messages from your domain pass DMARC
  • Which servers or services are sending messages that fail DMARC

Look for any problem trends in your mail flow such as:

  • If recipients get valid messages from you? and are the messages sent to the spam folder?
  • If you’re getting bounce or error messages from recipients.
  • To fix problems with messages from your domain being rejected or sent to spam.

Continue to review your daily reports by verifying the updated record still includes the rua tag with your email or mailbox address. We recommend you stay in this phase for at least 7 to 10 days before moving to the next phase. The duration of this phase will vary, depending on your organization size and mail flow.

STEP 4 - Quarantine a small percentage of messages (p=quarantine)

After monitoring DMARC reports for at least a week with no adverse results, update your policy to quarantine , and add the pct tag to apply the policy to a small percent of your mail. For example:

Sign in to your DNS host to update the DMARC DNS TXT record at your domain provider. Add a policy that applies to 10% of messages and has enforcement set to quarantine (p=quarantine). Messages in the 10% that don’t pass DMARC are sent to recipients’ spam folder: v=DMARC1; p=quarantine; pct=10; rua=mailto:[[email protected]]

The policy is applied to only 10% of messages received by mail servers. Messages that don’t pass DMARC are delivered to recipients’ spam folder. Only a small percent of messages are impacted, and recipients can review messages that are sent to spam. Every mail server that gets mail from your domain sends daily reports [[email protected]] Small organizations might have a good understanding of all mail flows and can apply the policy to a larger percent of messages than large organizations. Large organizations often have multiple mail flows that can include legacy servers and third-party senders.

We recommend large organizations gradually increase the percent of messages affected, to reduce the risk of many messages being rejected or marked as spam. A small organization might start with quarantining 10% and a very large enterprise might start with 1% or 2%.

STEP 5 - Reject all unauthenticated messages (p=reject)

This is the final step in deploying DMARC. When you’re sure that most or all of the messages sent from your domain are aligned, and passing authentication (SPF and DKIM), you can enforce a stricter (p=reject) DMARC policy.

If DMARC is working as expected, ramp up your policy so the DMARC record policy is set to reject for 25% then 50% then , 75% then 100% of messages sent from your organization. For example:

Sign in to your DNS host to update the DMARC DNS TXT record at your domain provider. Update the record to be more strict. For example: v=DMARC1; p=reject; pct=25; rua=mailto:[[email protected]]

The policy affects all messages received by mail servers. If the record doesn’t include the pct tag, the policy applies to 100% of messages sent from your domain. All messages that fail DMARC authentication are rejected. The sender can receive a bounce message for each rejected message. As a final note, be sure to monitor your DMARC reports on a regular basis and watch for any abnormalities in your mail flow.

For more additional resources on DMARC Deployment please visit these sites.

Need assistance in deploying DMARC for ultimate email security? We offer SPF / DKIM and DMARC consulting services at Clustered Networks. Please contact us for more information.

Posted in Linux Network Admin Tips, Network Security Tips on Apr 14, 2021