DMARC records allow senders to indicate their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have SPF and DKIM records setup before using DMARC. Becoming DMARC compliant involves more than just adding a TXT record to your DNS records. It's a process that can take several weeks to months, depending on your sending volume, email marketing platform or email delivery provider who send email on your behalf.
If you're setting up DMARC for the first time, we recommend setting a policy of p=none and collecting aggregate data with a DMARC monitoring service. You can then monitor reports and slowly bring your domain into compliance over time.
DMARC compliance will prevent malicious actors from abusing your domain reputation which can in turn impact your deliverability. This is what a typical DMARC compliance process looks like:
- Add a DMARC record to your domain host records with a policy of p=none
- Collect data from DMARC reports using a monitoring service for several weeks or months depending on your organization
- Perform an audit and adjust your SPF & DKIM records if neccessary to bring your domain into alignment
- Collect more data from DMARC reports for several weeks or months depending on your organization
- Perform an audit, adjust your SPF & DKIM records if neccessary and enforce a stricter DMARC policy of p=quarantine
- Continue collecting data from DMARC reports for several weeks or months depending on your organization
- Perform a final audit, adjust your SPF & DKIM records if neccessary and enforce the strictest DMARC policy of p=reject
- Continue collecting DMARC reports and monitoring your sending habits
The goal of becoming DMARC complaint is to eventually enforce a policy of p=reject. Setting a reject policy will ensure that all malicious email is stopped. The recipient of the intended malicious email will never become aware of the email in the first place, as it will never get sent to a spam or quarantine folder. Since it's completely blocked, emails are never delivered and end-users cannot be tricked into clicking on a malicious link or opening a dangerous attachment.
The downside is if legitimate emails are failing authentication and emails get rejected, the receiver will never know they are not receiving the intended email. For organizations not actively using a reporting system to monitor authentication, it could take months to discover that legitimate email is not being delivered, potentially hurting marketing programs or other opportunities to engage with prospects, customers and partners. This is why it's important to take DMARC compliance step-by-step, use a monitoring service and incrementally enforce a stricter DMARC policy.
Choose a DMARC monitoring service
Before creating your DMARC record start by choosing a monitoring service to process reports and monitor DMARC compliance.
Create your DMARC record
Answer the questions below to generate a DMARC record for your domain.
Individual failure reports, or Forensic Reports, are copies of individual pieces of email that fail the DMARC check.
Add your DMARC record
Similar to SPF and DKIM, DMARC records are created by adding a TXT record to your DNS records. Since you now have experience adding a TXT record you should already know what to do. Below is an example DMARC record to guide you.
from Hacker News https://ift.tt/dpHhRDm
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.