• Download our FREE True Price of Office 365 Whitepaper
  • Give us a call: 877-788-1617

    Stay in the know with the MessageOps newsletter:

    What is DMARC and Why is it so Important?

    By Rob Vogl

    DMARC

    DMARC which stands for Domain-based Message Authentication, Reporting and Conformance is an e-mail authentication system that helps determine what to do when a message fails either SPF or DKIM. Microsoft recommends that SPF, DKIM and DMARC should all be setup within your DNS provider. This helps prevent spoofing or phishing attacks on your organization. With DMARC specifically, it helps the receiving organization decide what to do with e-mails that fail checks and applies the appropriate solution based on the record you create.

    So how does DMARC work? Well, the receiving host applies the SPF and DKIM checks and then validates the results against the published DMARC policy and decides what the next steps are. With DMARC you can set for the message to be blocked, quarantined, delivered or reported to sender. This is all setup via a DNS TXT record in your DNS provider.

    Before setting up DMARC, you must have your SPF and DKIM records setup to perform the message checks. With SPF, it is a single DNS TXT record which Microsoft provides when setting up a new custom domain in your Microsoft 365 Admin Center. The default record is below:

    TXT Name: @

     Value: “v=spf1 include:spf.protection.outlook.com –all”

    If you have any other locations that mail may be sent from, an example being an on-premise Exchange server. You must add the appropriate IP address or range into your SPF record, otherwise the SPF check will fail, and the mail will follow the actions of your DMARC record. The following table shows the available attributes you can add to an SPF record:

    Record startv=spf1
    Exchange Online Protectioninclude:spf.protection.outlook.com
    If your MX servers are also used for sending e-mail…mx
    If you use third party e-mail services…include:<3rd party SPF record>

    where <3rd party SPF record> will be provided by your service provider

    If you want to specify an IPv4 that will send e-mail…ip4:<IP v4 Address>

    where <IP v4 Address> will be replaced with the actual IPv4 address

    If you want to specify an IPv6 that will send e-mail…Ip6:<IP v6 Address>

    where <IP v6 Address> will be replaced with the actual IPv6 address

    Record end<enforcement rule>

    where <enforcement rule> can be:

    -all – Anything not in the list will fail

    ~all – Anything not in the list will soft fail (avoid using this)

    So, for example, if you want to add an IP address to your SPF record, it would look like the following:

    TXT Name: @

    Value: “v=spf1 ip4:192.168.16.42 include:spf.protection.outlook.com –all”

    Once you have your SPF record written up and published to your DNS provider, you will need to setup your DKIM record. With DKIM you will need two DNS CNAME records per domain. The reason for this is each record will contain a private key that every email sent from this domain will be marked with. When the mail is delivered, it checked to confirm that the private key applied matches the one in your DNS. The private key is recommended to be rotated every four months.

    The two CNAME records need to be written exactly right otherwise Microsoft will not allow DKIM to be enabled. Below is the format for both records:

    Host nameselector1._domainkey.<domain>

    where <domain> is your domain name

    Points toselector1-<domainGUID>._domainkey.<initialDomain>

    where <domainGUID> is your domain GUID and <initialDomain> is your initial domain.

     Host nameselector2._domainkey.<domain>

    where <domain> is your domain name

    Points toselector2-<domainGUID>._domainkey.<initialDomain>

    where <domainGUID> is your domain GUID and <initialDomain> is your initial domain.

    For example, if you had a domain of contoso.com, the required records would be the following:

    Host name: selector1._domainkey.contoso.com

    Points to: selector1-contoso-com._domainkey.contoso.onmicrosoft.com

    Host name: selector2._domainkey.contoso.com

     Points to: selector2-contoso-com._domainkey.contoso.onmicrosoft.com

    Once both CNAME records are created and replicated, DKIM can be enabled within the Exchange Admin Center under Protection > DKIM.

    Now that both SPF and DKIM are in place, all that is left is to create one more DNS TXT record for DMARC. With DMARC you have many more options to customize this policy then you would with SPF or DKIM. The below table highlights all the different attributes you can modify:

    TagPurposeOptions
    vVersion – RequiredDMARC1
    pPolicy – Requirednone: No specific action be taken regarding delivery of messages.

    quarantine: E-mail that fails DMARC check should be considered suspicious.

    reject: E-mail that fails DMARC check should be rejected.

    spPolicy for all the subdomains – Optional, defaults to the parent domain policy if omitted.none: No specific action be taken regarding delivery of messages – useful for monitoring.

    quarantine: E-mail that fails DMARC check should be considered suspicious.

    reject: E-mail that fails DMARC check should be rejected.

    adkimIndicates whether strict or relaxed DKIM Identifier Alignment mode is required – Optional, defaults to r if omitted.r: relaxed mode – Both the authenticated signing domain and the sender domain can be a subdomain of each other to be considered aligned.

    s: strict mode – Only an exact match between both of the domains is considered to produce Identifier Alignment.

    aspfIndicates whether strict or relaxed SPF Identifier Alignment mode is required – Optional, defaults to r if omitted.r: relaxed mode – Both the authenticated signing domain and the sender domain can be a subdomain of each other to be considered aligned.

    s: strict mode – Only an exact match between both of the domains is considered to produce Identifier Alignment.

    ruaAddresses to which aggregate feedback is to be sent – OptionalE-mail addresses in the format mailto:[email protected] Multiple addresses should be comma separated.
    rufAddresses to which message-specific failure information is to be reported – OptionalE-mail addresses in the format mailto:[email protected] Multiple addresses should be comma separated.
    rfFormat to be used for message-specific failure reports – Optional, defaults to afrf if omitted.afrf: Authentication Failure Reporting Using the Abuse Reporting Format, as described in RFC 6591.

    iodef: Incident Object Description Exchange Format, as described in RFC 5070

    riInterval requested (in seconds) between aggregate reports – Optional, defaults to 86400 if omitted.32-bit unsigned integer, from 0 to 4,294,967,295.
    foProvides requested options for generation of failure reports – Optional, defaults to 0 if omitted.0: Generate a DMARC failure report if all underlying mechanisms fail.

    1: Generate a DMARC failure report if any underlying mechanism produced something other than an aligned “pass” result.

    d: Generate a DKIM failure report if the message had a signature that failed evaluation.

    s: Generate an SPF failure report if the message failed SPF evaluation.

    pctPercentage of messages to which the DMARC policy is to be applied. It allows to enact a slow rollout enforcement of the DMARC mechanism. – Optional, defaults to 100 if omitted.Integer between 0 and 100, inclusive

    Below is an example of a DKIM record I created for one of my clients:

    TXT Name: _dmarc.contoso.com

    Value: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; ri=84600; fo=1

    This record states that no action is being applied directly to the message, but reporting on all messages is being sent to the [email protected] distribution group every 24 hours (84600 seconds). This is just one example of numerous configurations you can set on your DMARC record. You could also state that you want reporting, but to also reject or quarantine any mail that fails its respective checks. It is completely up to your discretion or required company policies. You can also modify this record at anytime adjustments need to be made.

    For more information email [email protected]

    Ready to get started? Contact us today to learn more.

    CONTACT US