The ‘Quick and Dirty’ Guide to DMARC

2 minute read

Earlier this year, we implemented DMARC records and reporting for e2e-assure.com. In this blog post, we look at what DMARC is, and the benefits it can provide.

What?

DMARC is a free system which helps reduce email spoofing of your domain, using a combination of authentication and verification technologies. In short, it’s a way of protecting your brand.

Essentially, DMARC instructs recipients which actions should be taken upon receipt of a spoofed email for your domain. SPF, DKIM, and DMARC work together to do this. There’s a great explanation of what these are, from the UK National Cyber Security Centre (NCSC):

SPF, DKIM, and DMARC overview from the NCSC blog (From ‘Making email mean something again’ by the NCSC)

Why?

As a managed cyber security services provider, we need to ensure e2e-assure.com isn’t spoofed in emails!

One such organisation having great success with DMARC is HMRC. Previously one of the most spoofed and phished brands in the world, HMRC are now using DMARC - stopping around half a billion spoofed emails a year - detailed on their blog post ‘Combating phishing - a (very) big milestone’.

Almost every company wants (and needs) to protect their brand - and you don’t need to be as big as HMRC to benefit from using DMARC. After implementing SPF, DKIM, and DMARC, we’ve seen around 30 spoofed emails a week being scuppered by our DMARC policy.

Then What?

First, you need to implement your SPF and DKIM records - added in your DNS records (and for DKIM, using a key from your mailserver). After these are in place, it’s time to move onto formulating your DMARC record (we used the awesome guide from Global Cyber Alliance).

After a period of ‘soft fail’ DMARC enforcement (enabling information to be gathered on any additional sending sources), it’s time to move to ‘hard fail’. This involves setting if emails should be quarantined (marked as junk) or blocked (not delivered at all).

Most recipient email providers also provide DMARC compliance reports in XML format - like so:

DMARC report XML

(images courtesy of Return Path)

These can be sent to a DMARC report aggregator to provide collated reports, provising useful insights over time. There’s both free and paid-for report aggregators - we’ve been using the excellent DMARC reporting tool from Postmark.

For public sector organisations, the NCSC will be providing a free aggregator - MailCheck - which they have also open-sourced on GitHub.

Wrap-up

So, in conclusion: why should your organisation use DMARC?

  • It helps protect recipients from phishing attacks
  • It ensures you know who is sending on behalf of you (including without permission!)
  • It helps protect your brand and reputation

Updated: