How to Set Up DMARC: Step-by-Step Guide

Posted on September 20, 2024

We'll explain how to configure DMARC for your company's email, including what you'll need and how to add DMARC to your DNS. Just follow these DMARC setup steps! But before we begin, here’s a high-level overview of how to add DMARC to your DNS.

  1. Add your DMARC record into your DNS
  2. Select the TXT record type
  3. Add the host value (see details below)
  4. Add the value information (see details below)
  5. Save the DMARC record
  6. Validate the DMARC setup (see details below)

For more details, read on. 
 

Why Is DMARC Important?

Thanks to its sheer ubiquity and undeniable usefulness, email has never been more important. But it has also never been secure, thanks to one critical flaw: Anyone can send email using someone else's identity. And per CSO Online, email has become a $775 million-a-month bonanza for cybercriminals who spoof corporate email accounts to impersonate top executives and trusted brands in phishing scams targeting employees, customers, and the general public.

These aren't just one-off attacks anymore, either. We've reported extensively on the increasingly sophisticated ways imposters are posing as suppliers to defraud entire corporate supply chains. Today, email impersonations account for more than half of all Internet-related business losses, and are implicated in 67% of all data breaches.

But the damage done from these attacks extends far beyond their immediate victims. Get impersonated, and your company can face lost business, lawsuits, and steep regulatory fines. What's more, negative news stories and social media tirades over crimes committed in your brand's good name can render your legitimate, revenue-generating emails all kinds of toxic, if they aren't blacklisted all together.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) helps organizations prevent all this from happening. Here's how.
 

How DMARC Strengthens Email Authentication & Domain Protection

First introduced in 2012 by a consortium of industry leaders, DMARC is an open standard authentication protocol that works with SPF and DKIM to prevent the fraudulent use of legitimate brands in email attacks. More than 2.5 billion mailboxes are DMARC-enabled worldwide.

At its most essential, DMARC enables email receiver systems to recognize when an email isn't coming from a specific brand's approved senders, and gives the brand the ability to tell receivers systems what to do with these unauthorized emails.

With DMARC in place, you can:

  • Authenticate all legitimate email messages and sources for your email-sending domains, including those from your own infrastructure, as well as those sent by business units and third-party email partners
  • Instruct email providers what to do with unauthenticated email messages by establishing a DMARC enforcement policy
  • Gain visibility into the legitimate and fraudulent uses of your domains, so you can work with takedown venders to stop cybercriminals from hijacking your brand in email scams

dmarc authentication process

 

FAQs

You can add a DMARC record to the DNS server in less than 5 minutes painlessly and without the need for technical support.

First, you need to make sure that your Office 365 account is properly linked to your domain and has been verified. You'll need to:

  1. Refer back to your domain registrar and go to the DNS manager.
  2. Select the DMARC policy that you'd like to enforce:
    1. p=none
    2. p-quarantine
    3. p=reject
  3. Add an email address where DMARC reports can be sent.
  4. Create the TXT record value based on the attributes you've used in the "value" field.

To pass DMARC, a message must pass at least one of these checks: Sender Policy Framework (SPF) authentication and alignment, as well as DomainKeys Identified Mail (DKIM) authentication and alignment. 


What Is an Enforcement Policy?

When you set a DMARC enforcement policy for your organization, you are instructing email receiving systems what to do when email purporting to come from your approved domains fails authentication. These policies include:

  • p=none: Email is delivered to its intended recipient without restriction
  • p=quarantine: Email that fails authentication is sent to the intended recipient's junk folder
  • p=reject: Email that fails authentication gets deleted and never reaches its intended recipient
     

The Mechanics of DMARC

DMARC uses DNS as the mechanism for policy publication. DMARC records are hosted as TXT DNS records in a DMARC specific namespace, which is created by prepending "_dmarc" to the email domain.

For example, if the email domain "example.com" publishes a DMARC record, issuing a DNS query for the TXT record at "_dmarc.example.com," will retrieve the DMARC record. Email receiver systems use the policies published to inform how they process emails purporting to come from the sender's email domain.
 

DMARC Setup Steps for Your DNS

You should have SPF and DKIM deployed and authenticating messages for at least 48 hours before setting up DMARC. Then, you can follow these DMARC setup steps to add DMARC to your DNS.

Step 1: Create a DMARC Record

  • Use our DMARC Setup Tool to easily create the required TXT record. It should look something like this example:V=DMARC1; p=none; rua=mailto:dmarc-feedback@
    This example record instructs receiver systems to generate and send aggregate feedback to "dmarc-feedback@" your domain. The p=none tag indicates you are only interested in collecting feedback. Alternatively, you could use a p=quarantine, or p=reject tags for emails that fail authentication.

Step 2: In your DNS, follow these DMARC setup steps to create a DNS TXT record

  • Log into the management console of your DNS hosting provider, and while this can vary by provider, you want to locate the page that allows you to add a DNS TXT record

Step 3: In the Type box, select TXT Record Type

Step 4: In the Host Value box, enter _dmarc as the "host"

Step 5: In the TXT Value box, enter the record you created using DMARC Record Creator

Step 6: Save the DMARC record

Step 7: Validate the DMARC setup

Use DMARC Checker to verify your record has been set up correctly

Go to our DMARC tool

Taking DMARC to Task & Scale

Setting up DMARC in DNS only takes a few minutes. But to be effective against brand impersonation, DMARC must be set to its highest enforcement level, p=reject. And while this is relatively straightforward when you're talking about a single domain, it can be complicated and time consuming for organizations with thousands of domains spanning dozens of email senders and outside email distribution partners.

However, when deployed using automated DMARC implementation solutions such as Agari DMARC Protection, large organizations have been able to rapidly drive phishing-based brand impersonations to near zero. Not only does this preserve brand reputation and the efficacy of revenue generating email programs, it also protects employees, customers, partners and the general public from costly email scams.

For more information on DMARC adoption and its benefits, download Getting Started with DMARC

READ THE GUIDE
Related Products
DMARC Protection
Related Solutions
DMARC Email Authentication
Related Content