Email security is a critical component of any organisation's cybersecurity strategy. Yet, despite its importance, many businesses have been slow to adopt DMARC (Domain-based Message Authentication, Reporting & Conformance). DMARC helps prevent email spoofing, phishing, and other cyber threats, but its implementation has lagged behind.
In this article, we'll explore why DMARC adoption has been slow and provide a step-by-step guide on how to set it up for your domain.
What is DMARC?
DMARC is an email authentication protocol designed to protect domains from being used for email spoofing and phishing attacks. It works by ensuring that emails sent from your domain are properly authenticated using SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
A DMARC policy tells receiving mail servers what to do when an email fails authentication—whether to monitor (no action), quarantine (send to spam), or reject (block outright) unauthorised emails.
How DMARC Works
How DMARC Works
- SPF and DKIM Check: The recipient's mail server checks if the email passes SPF and DKIM authentication.
- DMARC Policy Evaluation: Based on the configured DMARC policy (none, quarantine, or reject), the server determines what to do with the email.
- Reports Sent: The recipient’s mail server sends DMARC reports back to the domain owner, providing insights into email activity and unauthorised email attempts.
Why Has DMARC Adoption Been Slow?
Why Has DMARC Adoption Been Slow?
Despite its benefits, DMARC adoption has been sluggish. Here’s why:
- Complexity of Implementation - Setting up DMARC requires proper configuration of SPF and DKIM records, which can be confusing for businesses without dedicated IT teams.
- Risk of Email Deliverability Issues - If DMARC is misconfigured, legitimate emails could be rejected or marked as spam, disrupting communication. This risk makes many hesitant to enforce strict policies.
- Lack of Awareness - Many businesses don’t realise that their domains can be exploited for email spoofing. Without awareness of the risks, there’s little urgency to adopt DMARC.
- Perceived as a ‘Big Business’ Solution - Some SMEs believe DMARC is only necessary for large enterprises, not realising that any domain can be targeted by email fraud.
- The "Set It and Forget It" Mindset - Some companies implement DMARC at the none policy level for reporting purposes but never move to stricter enforcement (quarantine or reject).
How to Set Up DMARC for Your Domain
How to Set Up DMARC for Your Domain
To implement DMARC, you need access to your domain’s DNS settings. Here’s how to do it step by step.
Step 1: Set Up SPF (Sender Policy Framework)
Step 1: Set Up SPF (Sender Policy Framework)
SPF helps verify that emails sent from your domain come from authorised mail servers.
1. Log into your DNS provider (e.g., Ostratto Hosting, GoDaddy, 123Reg.
2. Locate the DNS settings for your domain.
3. Add a TXT record with the following format:
2. Locate the DNS settings for your domain.
3. Add a TXT record with the following format:
v=spf1 include:mailprovider.com -all
- Replace mailprovider.com with your email service provider (e.g., Google Workspace, Microsoft 365).
- The "-all" means that emails not listed in SPF should be rejected.
4. Save the record and allow time for propagation.
Step 2: Set Up DKIM (DomainKeys Identified Mail)
Step 2: Set Up DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to emails, verifying their authenticity.
1. In your email provider’s admin panel, look for DKIM settings.
2. Enable DKIM and generate a public key.
3. Add a TXT record in your DNS settings using the provided values.
4. Save the record and enable DKIM signing.
Step 3: Configure DMARC
Step 3: Configure DMARC
Once SPF and DKIM are in place, set up DMARC to define how unauthorised emails should be handled.
1. In your DNS settings, add a new TXT record for _dmarc.yourdomain.com.
2. Use the following format:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain.com; pct=100;
- p=none: This starts DMARC in monitoring mode (change to quarantine or reject later).
- rua: Email address to receive aggregate reports.
- ruf: Email address to receive forensic reports.
- pct=100: Applies the policy to 100% of emails.
3. Save the record and wait for propagation.
Step 4: Monitor Reports & Adjust Policy
Step 4: Monitor Reports & Adjust Policy
1. Use DMARC report analysis tools like DMARC Analyzer, Agari, or Postmark to interpret reports.
2. If all legitimate email sources pass DMARC, update the policy:
p=quarantine or p=reject
3. Continue monitoring to ensure no critical emails are affected.
Final Thoughts
Final Thoughts
DMARC is a crucial tool for preventing email spoofing and phishing attacks, yet its adoption remains slow due to its perceived complexity and risk of email deliverability issues. However, with careful setup and monitoring, businesses can implement DMARC effectively without disrupting legitimate email flow.
If you're still unsure about setting up DMARC for your domain, or would like this to be taken care of - we're just a message away.
