How to set up DMARC for your domain

Email has become an integral part of communication, whether you’re running a small business or you’re a larger corporation. Since email is so widely used in daily life, many assume it’s safe and secure. Yet no one knows where every email comes from — and therein lies the problem. However, email authentication is a best practice that can help alleviate some of the risk. As well, regarding the topic of email security, The top 6 reasons to separate business email from your server article looks at the value of our Premium Email Hosting product offering. It has many advanced features to block cyber threats related to email.

Every email that comes to your domain — or appearing as coming from your domain — could allow bad actors to commit fraud against your company or harm its online reputation. How can you guarantee that your domain has the most secure setup available? Using Domain-based Message Authentication, Reporting & Conformance (DMARC), any business can have a reliable email infrastructure, allowing staff to receive and send email messages free from concern for their security.

This article will discuss how to set up DMARC for your domain. Setting up DMARC turns out to be a relatively simple process that gives you extensive control over your domain. That said, DMARC should be your first line of defense against cybercriminals. But first, we need look at the key points of this article together with a high-level overview.

Key points

When you're done reading this article, you will have gained information about:

• Learning the purpose behind the Domain-based Message Authentication, Reporting & Conformance (DMARC) policy specification.
• Understanding what a DMARC record is in the context of email.
• Knowing what the DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) validation methods are used for.
• Having an answer for the question, what is a TXT record in the context of DNS records?
• Creating DMARC records and what is involved with their use.
• Setting up DMARC for your domain and why doing so is important.
  

High-level overview of DMARC

Let's start with a little clarity on what DMARC is actually doing. It serves an active role in protecting your email reputation. You see, DMARC (and DKIM and SPF records) make sure that your outgoing email can be verified as authentic and helps prevent a bad actor from spoofing your email address. They don't really protect your server from receiving bad emails (although enabling spam filters to check DMARC, DKIM, and SPF records can help with that). The article doesn't really get into spam filtering settings on your server, but out What is email spam? article tackles the subject thoroughly.

What is Domain-based Message Authentication, Reporting & Conformance (DMARC)?

DMARC was created to defend business domains against those who would do it harm. Beginning in 2010, internet organizations realized the emails they were sending and receiving could be compromised. When you cannot communicate with industry leaders safely, your business can suffer.

Due to this realization, several leading online organizations like AOL, Comcast, and Gmail began working on a solution. The goal was to help senders quickly discover and deal with unauthenticated emails sent to their domains and monitor or report on their authentication structure.

Their efforts created the DMARC policy specification for email domains on January 30, 2012. Now, DMARC is a standard all email domains can use. It’s a free and open source tool your business can use to control email deliveries.

What is a DMARC record in the context of email?

For DMARC to work as it should, it needs a ruleset, a place where Internet Service Providers (ISPs) can determine whether a domain uses DMARC. The DMARC record contains the instructions and specifies how many email servers should handle the messages going to and from your company’s domain.

With all the components in place, including the DMARC record, your messages have a better chance of being delivered. DMARC acts as an additional layer of protection for your email domain. The other two layers associated with email authentication are DKIM and SPF, which are described in the next two sections.

What is DomainKeys Identified Mail (DKIM)?

DMARC is built on top of two other email validation methods that work together to prevent email spoofing and block fraudulent emails from reaching your server. DomainKeys Identified Mail (DKIM) is an authentication method that works in sync with DMARC and SPF. The DKIM protocol does what its name implies. It’s a personal domain key that your servers use when sending messages to other ISPs.

With DKIM in place, the other ISPs can validate your email by pulling a public key from the DNS records. DKIM helps the receiving ISP determine if your email was altered or intercepted. DKIM prevents your email from being intercepted or changed using a private digital signature.

What is the Sender Policy Framework (SPF)?

The Sender Policy Framework (SPF) protocol works differently than DKIM in that it deals with the IP addresses your domain will use to send messages to other servers. SPF is a protocol that ISPs use to determine if a server is allowed to send messages to your domain. Your sending server has only one SPF record, but SPF also includes a “whitelist” of approved IP addresses that can send messages.

Without this list of approved servers, it’s unlikely that your message will be delivered at all. Like the DKIM process, SPF works using DNS records. Most email marketing services use SPF and automatically verify if your messages came from a safe source without any influence from you. If SPF doesn’t recognize the server that sent your message, it won’t reach your recipient.

SPF and DKIM don’t work to protect your domain without something telling the protocol what to do. These protocols have explicit instructions or “records” that include the data they need to function. These records are known as TXT records — and they have many uses outside of SPF and DKIM.

What is a TXT record in the context of DNS records?

TXT records have multiple uses, but they mainly serve records that store instructions for machines and users. TXT records house the contact details and general information about your domain. They have other uses in email spam prevention or domain verification, too. For this reason, TXT records work well for SPF and DKIM. Our Overview of DNS records article is a helpful resource as one learns more about DNS management.

Are DNS records useful for email servers?

DNS, or Domain Name System, was originally designed as a place for web developer to put notes about their servers. Now, they can act as an essential verification pathway that includes data for your computer to read. DNS records work as email spam prevention and verify domain ownership.
If you’ve ever poked around in cPanel on your WordPress website, you’ll likely see DNS and TXT record files. With DNS records, your website’s URL is assigned an IP address that allows you and others to connect to your website from anywhere on the internet. In this case, the DNS record directs the user to an email server that manages the mail.

What does it mean to create a DMARC record?

We explained TXT and DNS records, but a DMARC record is a specialized TXT record with instructions used to verify that an email is safe. DMARC records allow your company to have more control over the rules that define what happens to emails that fail authentication. Setting up DMARC records means you create rules that help servers filter out legitimate emails from emails that contain cyber threats. Protecting your business from email spam is why DMARC is recommended for your domain.

Why is it important to know how to set up DMARC for your domain?

Data breaches are costly and often compromise millions of your users and their personal information. Just as there will always be hackers and cybercriminals, businesses should always be willing to catch and prevent hackers from gaining access to sensitive information. By using DMARC in addition to DKIM and SPF, your organization will enjoy many benefits such as:

• Reduced time spent on catching criminals and finding data leaks.
• Increased trust and authority for your brand.
• Safeguarding more of your company's wealth instead of losing it to cyberattacks.
  

Learning how to set up DMARC for your domain increases email deliverability and will help your customers trust your brand and not think twice about accepting your messages.

Setting up DMARC for your domain

A little prep work goes into setting up DMARC for your domain. You’ll need to activate SPF and DKIM to run your DMARC policy. Once that’s finished, the real work can begin. Start by setting up a mailbox for your XML reports. These reports track your emails that were sent out to every location and ISP. You can do this step later, but doing this first is a good idea. Audit your list of sending domains to determine which ones are fake.

DMARC lets your company take control of what your domain does when a message doesn’t have a matching DMARC record. None, Quarantine, and Reject are the three policies you can enable:

• The None policy means that nothing changes, and the message is passed along normally.
• The Quarantine policy will send a message to the spam folder, allowing you to have the final say.
• The Reject policy is the goal of a working DMARC policy. If a spoofed message makes it to your spam folder, that’s good, but you don’t want it to stay there. On the other hand, if you enact this policy too early, you could reject legitimate emails from your customers, vendors, or industry organizations.
  

If you’re unsure what to do, you could enable a policy that only applies to a small number of incoming messages. This configuration means that you can control the validation output of your DMARC policy and only apply it to a certain number of messages. Using the tag pct=15 applies the policy to 15% of the total messages sent from your domain. If you don’t set this value yourself, the default is value used is 100%:

1. To enable your chosen policy, you must go to your domain’s DNS settings to publish your TXT record.
2. While in the management panel, you’ll go to the DNS hostname and enter your record with the name of _dmarc.(your domain).com where you replace (your domain) with your actual domain name.
3. In the DNS record, type in your DMARC record and save your changes.
   

With the DMARC record in place, you’ll receive XML reports that show which messages are passing or failing DKIM and SPF validation. Setting up DMARC for your email domain doesn’t take very long, but it’s integral in maintaining security for your business communications.

Protect your email domain from compromise

Reading this article, we hope you picked up how to set up DMARC, DKIM, and SPF to ensure that your outgoing email can authenticated and not be spoofed in order to protect your online reputation. By now, you should realize the potential for cyberattacks hidden in your email communications and what you can do to help prevent it. If you’re a small business, setting up your DMARC policy should be straightforward, but it’s more complex if you’re a larger corporation. Larger organizations use automated DMARC tools to set up the thousands of domains and email senders they use.

When you want to implement your email marketing strategies, the last thing you want to worry about is DMARC alignment for your domain. At Liquid Web, we understand that DKIM and SPF protocols are everything to proper DMARC enforcement. When working to protect your email domain from compromise, your business needs a stable and robust DMARC policy that follows industry best practices.

With over 25 years of experience in the web hosting industry, which includes maintaining email compliance and security polices, we offer flexible and straightforward solutions for you. By working with us, you’ll have secure and reliable hosting. Let us ensure your email messages will always reach your customers.