Support Documentation

Links

Blog

 

DMARC Implementation

How to Implement

 

DMARC, step-by-step.

Brand owners wishing to better protect customers against phishing and other fraudulent activities should leverage a DMARC record. Follow these 5 steps:

  1. Deploy SPF and DKIM:

    While not a requirement to begin using DMARC, brands that want to leverage DMARC as a means to enforce blocking policies at mailbox providers should have already deployed and tested SPF and DKIM. Simple deployment of a DMARC record can provide valuable insight into a company’s mail streams and any server configuration issues.

  2. Align identifiers:

    Audit internal systems to ensure that mail received by mailbox providers will observe that all Authenticated Identifiers (RFC5322.From domain and the SPF and DKIM domains) within messages are in alignment.

  3. Create a DMARC record and append to DNS:

    Publish a DMARC policy of “none” and include a feedback reporting email address to receive aggregate feedback data from Mail Receivers. See sample record below.

    _dmarc.senderdomain.com:
    "v=DMARC1; p=none; rua=mailto:dmarc_agg@auth.senderdomain.com;
    ruf=mailto:dmarc_afrf@auth.senderdomain.com"

  4. Analyze the data and modify your mail streams as appropriate:

    Review and tune authentication deployments. Use the provided feedback data to remediate unauthenticated email streams and correct identifier alignment issues. This is a good opportunity to discover email that, for example, passes SPF checks but is missing DKIM signatures, since such email will inevitably fail authentication when forwarded.

  5. Modify your DMARC policy flags from “none” to “quarantine” to “reject” as you gain experience:

    When confidence of authentication accuracy is gained, publish a DMARC policy of “quarantine” with a reasonably small value for “pct”. Debug false positives (due to missed unsigned mailstreams) while gradually increasing the value of “pct” to 100. Fully secure mail streams. When “pct” reaches 100 with no observed ill effects, publish a DMARC policy of “reject” with a reasonably small value for “pct”. Repeat debugging and corrective process as necessary.

Return Path Can Help

While you can manage your DMARC implementation on your own, it does require a significant amount of planning, resources and program management and it also tends to result in a considerable amount of data for your internal team to process. Alternatively, Return Path can assist you with the implementation, data processing, policy enforcement and reporting activities associated with your DMARC plan. Contact us to learn more about how we can help!