Domain-based Message Authentication, Reporting and Conformance, otherwise known as DMARC is a protocol used for email authentication. It essentially gives domain owners the ability to protect their domain’s address from email spoofing or other unauthorized use. It is to your benefit to enable DMARC for your domain because it lets systems know that this email from your domain is legitimate. I’m using Office 365 for email but this applies whatever your using as well. In this article we’ll go over the steps needed to setup DMARC in Office 365.
Setup DMARC in Office 365
We previously setup DKIM for Office 365 and as a measure to strengthen our security footprint, we’re going to setup DMARC in Office 365 as well.
- Login to your DNS provider. I’m using Cloudflare so i’ll get it setup there
- Create a new TXT record
- In the name field, type: _dmarc
- In the value field, type: v=DMARC1; p=none; rua=mailto:[email protected]
- Set TTL to 5 minutes to allow for a quick DNS propogation. Be sure to change to 1 hour afterwords
Here’s a quick break down of what the above values mean.
DMARC Explained – Quick breakdown
Name or Hostname value (Domains and subdomains)
- Hostnames will usually be _dmarc for top level domains. e.g. _dmarc.thesysadminchannel.com
- Subdomains should have _dmarc.subdomain. e.g. _dmarc.subdomain.thesysadminchannel.com
Value or Content
- There are two required value pairs that MUST be present on every DMARC record. They are “v” and “p”.
- The only tag-value pair for “v” is v=DMARC1
- The “p” tag pair “p=” can be paired with none, quarantine, or reject. e.g. p=none or p=quarantine or p=reject
- The “rua” & “ruf” tags support multiple email addresses with each separated by a comma e.g. rua=mailto:[email protected]
- It is recommended to start out with “p=none” so you can identify any issues with mail flow. After some time change it to quarantine or reject.
How To Confirm If DMARC Is Enabled and Working
Now that we have setup DMARC for our domain, we want to make sure everything is working as expected. So now the question is, how can we check to see if DMARC is enabled and working? Let’s head on over to https://mxtoolbox.com/dmarc.aspx so they can do the heavy lifting for us.