How to set up DNS DMARC record | Protect Your Doman

Table of Contents

1. Introduction
2. What is DMARC?
3. DMARC - Aggregate Report (RUA)
4. DMARC - Forensic Report (RUF)
5. How to create a DMARC Record?
6. DMARC Tags Table
7. What is an SPF Record?
8. SPF Record – Qualifiers
9. SPF Record – Mechanism

Introduction

Welcome back

In this tutorial, were going to cover SPF, DKIM and DMARC records.

If you own a domain, it’s very important that you have those records setup to prevent email spoofing, fraud and to prevent your emails from being marked spam.

Finally, I will show you how you can obtain both your free Aggregate and Forensic Reports so you could monitor emails sent from your domain.

This is a DNS course, so you should be comfortable adding DNS records to your Domain such as TXT record.

Before we get started, don’t forget to subscribe to our channel to stay up to date with our latest training videos.

What is DMARC?

DMARC stands for Domain-Based Message Authentication Reporting & Conformance.

DMARC was first published in 2012; It is a protocol built by Google, Microsoft, Yahoo and PayPal to prevent email abuse. It is supported by all major mail service providers (if not all).

DMARC is used to determine the authenticity of an email message. It lets you control who can send emails using your domain and allows you to set various instructions for the receiving email server.

To get started with DMARC, you must have both your SPF and DKIM records set.

DMARC record is a TXT record that defines what an email receiver should do with mail sent on your domain behalf that is not aligned with your domain policy.

The DMARC record is a TXT record that is added to your domain DNS; It basically includes instructions for the receiving email server on how to handle mail sent under your domain that does not align with your Policies.

We can also specify inside our DMARC TXT record, an email address so that we can receive 2 very important reports:

1. DMARC - Aggregate Report (RUA).

2. DMARC - Forensic Report (RUA).

What is DMARC Aggregate Report (RUA

A DMARC aggregate report contains information about the authentication status of messages sent on your domain behalf. Aggregate reports are free reports that are sent to you and contain information such as:

• Source that sent the message

• Domain that was used to send the message.

• Sending IP address.

• Number of messages sent on a specific date.

• DKIM/SPF sending domain.

• DKIM/SPF authentication result.

• DMARC results.

What is DMARC Forensic Report (RUA)

A DMARC Forensic report are generated when the SPF or DKIM do not align with your DMARC.

Forensic reports are free reports sent to you ONLY when an email sent by your domain fails DMARC authentication. It contains information such as:

• The email “to” field.

• The email “from” field. (From address, Mail from address, DKIM from address).

• IP address of the sender.

• The email “Subject” field.

• Authentication Result (SPF, DKIM, DMARC).

• Message ID.

• URLs.

• Delivery Result.

• ISP Information.

How to create a DMARC Record?

You create a DMARC record by creating a TXT record for your domain named “_dmarc”. For example, if your domain name is ahtcloud.com, then your DMARC TXT record name is: _dmarc.ahtcloud.com

For example, this a DMARC record: "v=DMARC1;p=reject;pct=100;rua=mailto:support@ahtcloud.com;ruf=mailto:support@ahtcloud.com; fo=1; adkim=s; aspf=s;"

The syntax for DMARC record, is basically a combination of tags separated by a semicolon.

“tag=value;tag=value;”

At the bare minimum, your DMARC record will look like this: "v=DMARC1;p=reject;”.

The “v” tag specifies the DMARC protocol version. There is only 1 DMARC version available which is DMARC1. This is a required field so you should always include it.

The “p” tag allows you to specify how you want mail service providers to handle emails that are sent using your domain identity but are not aligned with your policy.

You have 3 options. Do nothing, set p = 0. Or to quarantine or reject the email. I highly recommend you set it to reject the email to prevent anyone from sending emails using your domain name.

Both the “v” and “p” tags are required. N ow we will cover all the optional tags.

The “sp” tag is an optional tag. Like the “p” tag, it allows you to specific your policy but for subdomains. If you don’t include this, then the value to specified inside your “p” tag will be used.

The “pct” tag, is an optional tag. It allows you to specify the percentage of email messages in which your stated DMARC policy applies for. The values can be anywhere from 1 to 100. I always recommend you set it to 100%. This tells the email receiver to reject 100% of emails that fail DMARC authentication.

The “rua” tag, is also an optional tag. It allows you to specify an email address or addresses to receive DMARC Aggregate Feedback reports too. I cannot emphasize how important it is to have this field set up. Even if your domain does not send emails, you should always set this record so you could get insights into domain spoofing or phishing attacks that impersonates your domain. You can specify multiple emails by separating them with a comma.

I always recommend you have this tag set. The value of the “rua” tag, can be any valid email address.

The “ruf” tag, is also an optional tag. It’s like the “rua” tag but allows you to specific any email address or addresses to receive your DMARC Forensic reports too. I always recommend you have this tag as well even if your domain is not sending emails. The Forensic reports are sent to you when someone attempts to send an email impersonating your domain and it fails your DMARC and DKIM authentication. It instructs the email service providers to send you a copy of that email.

The “fo” is an optional tag. It allows you to tell email service providers that you want email samples if the emails failed. You have 4 options.

1. The 0 value generates report if all authentication mechanisms fail. This means both your SPF and DKIM policy fails.

2. The 1 value generates reports if any of your authentication mechanisms fail. SPF OR DKIM.

3. The d value generates reports if only your DMARC failed

4. The s generates reports of any SPF failure.

You can specific multiple values by separating them with a colon.

I personally recommend you set the “fo” tag to 1 so you can receive a copy of any email sent on your behalf that fails for either SPF or DMARC authentication.

The “aspf” tag, is an optional tag. You can use this tag to speficiy if you want to set your SPF policy to strict or relaxed. By default, if you don’t include this option its set to strict, which is the best option. Remember guys, your SPF policy basically makes sure all emails sent using your domain are authorized to send.

The “adkim” tag is identical to the “aspf”, but its form your DKIM policy.

The “rf” tag, is an optional tag. Honestly, at this point, its useless to include. This tag allows you to specify the DMARC Forensic report format. Theres only 1 value, which is afrf. This is used by default. You shouldn’t need to include this. But this could change in the future maybe if more report types are added.

The last available tag you can use, is the “ri” tag. This is also an optional tag. The “ri” tag allows you to specify the aggregate report interval in seconds. The minimum and default value is 86400 seconds which equates to 24 hours. This means, every 24 hours you will receive a DMARC Aggregate report. I recommend you keep it at the minimum.

DMARC Tags Table