E-mail is still the preferred means of communication for organisations. But that also makes it an attractive target for abuse.

After all, using your domain name, others can pretend to be you. Without proper protection, malicious parties can send phishing emails in the name of your organisation without you or the recipient noticing.

DMARC is the protocol that helps prevent this. But only if you set it up properly. Many organisations have activated DMARC, but get stuck with a “none” policy.

This article accompanies our webinar: From “None” to “Reject” - getting to grips with DMARC in 30 minutes You can watch the recording back here:

What are we going to do?

You go through five steps:

1. Check whether your domain already has a DMARC record

2. Set up monitoring via a DMARC tool

3. Read and understand your reports

4. Test whether your systems are set up properly

5. Scale up your DMARC policy incrementally

Note: you do this for every domain you own. So even for domains you do not mail with. These too can be abused.

Step 1: Check if your domain already has a DMARC record

Use the free test at https://internet.nl/test-mail/.
Type in your domain name (e.g. brandaris.it) and you will immediately see whether there is a DMARC record and which settings belong to it.

Does it say “none” or “quarantine”? Then you have come to the right place with this article.

Step 2: Set up monitoring via a DMARC tool

You can only scale up responsibly if you know what is happening now. That is why it is smart to activate DMARC reports. These show who is sending e-mail on behalf of your domain and whether it is justified.

In this article we use DMARC Manager from DMARC Advisor but other tools are also available such as Easydmarc, Valimail, Cloudflare and PostMark. We use DMARC Manager for its user-friendliness and clear reports, however, this is personal so feel free to deviate, the instruction will always remain essentially the same.  You can easily start a trial via this link then we can also take a look with you.

You do this by adding a small piece of text to your domain settings (the DNS).

Don't worry: it's simpler than it sounds.

What should it say?

For example:

_{v=DMARC1; p=none; rua=mailto:uniekestring@rua.eu.dmarcmanager.app; ruf=mailto:uniekestring@ruf.eu.dmarcmanager.app}

• v=DMARC1 = the default version of DMARC

• p=none = you are monitoring, but not yet intervening

• rua=mailto: = this is where the reports come in

How do you set this up?

1. Go to your domain management (or ask your IT partner)

2. Add the record as a TXT record at _dmarc.jouwdomein.nl

After a few days, the first insights are coming in.

Step 3: Read and understand your reports

After a few days, you see:

• Which systems send email on behalf of your domain

• Whether they are compliant (SPF and DKIM)

• Whether there are unknown or suspicious senders among them

Check per sender whether it is legitimate. Don't recognise something? Then it's time to clean up.

Pay particular attention to systems such as:

• Microsoft 365 / Google Workspace

• E-mailmarketing (Mailchimp, Active Campaign)

• CRM or invoicing software (Teamleader, Hubspot, Exact Online, Yuki)

• Automation tools

Step 4: Test if your systems are set up properly

Before making your DMARC policy stricter, you want to make sure that your legitimate mails pass the checks properly. Otherwise, you run the risk that your own e-mails will soon be seen as suspicious.

How do you test that?

By sending yourself test emails from any system or application that sends email on behalf of your domain.

What you do:

1. Send a test mail to yourself (e.g. your work address)

2. View the e-mail header of that message

3. Check that SPF, DKIM and DMARC are set to "pass

How do you open the email header?

In Outlook on Windows:

• Open the test email

• Click on File > Properties

• The headers are at the bottom under ‘Internet headers’

In Outlook on the Web (OWA):

• Open the test email

• Click on the three dots (---) at the top right of the message

• Choose ‘View message’ or ‘View message details’

In Outlook on macOS:

• Open the test email

• Click View > Message > All headers

• You will now see the full header at the top of the post

In Apple Mail (macOS):

• Open the test email

• Go to View > Message > All headers or Raw source version

• Or use the shortcut Shift + Command + H

• The header appears in a separate window

In Gmail (Google Workspace):

• Open the test email

• Click on the three dots (⁝) at the top right of the message (next to the reply button)

• Select 'Show original

• You will now see the full e-mail header as well as a summary of the authentication results

• Extra handy: Gmail often shows SPF, DKIM and DMARC directly in the summary at the top that gives you an immediate first impression.

Use Microsoft's free Message Header Analyzer tool:

https://mha.azurewebsites.net

Tip: there is also a handy Outlook add-in that lets you view the header with a single click. Search for ‘Message Header Analyzer’ in the Microsoft AppSource.

What are you paying attention to?

The tool shows you the results for each protocol:

• SPF: must be set to pass

• DKIM: also pass

• DMARC: gives the final score, based on SPF and/or DKIM

Note: it is sufficient if either SPF or DKIM succeeds and DMARC is neatly ‘aligned’ to it.

Do you see a fail or temperror? If so, something needs to be adjusted before you scale up.

Step 5: Scale up your DMARC policy incrementally

Once you know your own systems are set up properly AND your reports are stable, you can start ramping up your DMARC policy.

But note: always do this step by step.

Start with quarantine

Instead of rejecting suspicious e-mails immediately, let them land in the spam folder. That way, you get control, but do not yet cause hard blocks.

For example:

_{v=DMARC1; p=quarantine; pct=25; rua=mailto:...}

• p=quarantine: suspicious emails go to spam

• pct=25: 25% of suspicious emails are handled according to your polic

• rua: reports are still being collected

Start with 25%, watch the effects, and scale up to 50%, 75% and finally 100%.

Keep tracking your reports

Check for suspicious senders. Is legitimate e-mail going to spam? Then you must first set SPF or DKIM for that system properly.

If your reports show that you have properly authenticated above 98% of your mail streams (SPF and/or DKIM in order AND aligned), then you can switch to reject.

Only then do you go to reject

v=DMARC1; p=reject; pct=100; rua=mailto:...

Now, suspicious e-mails are actually rejected and not delivered.

Note: preferably, you continue to receive the reports even with rua, so you can continue to monitor even after setting reject.

Summary

DMARC offers a grip on your email domain. But only if you do more than just “watch along”.

By setting up monitoring smartly and scaling up step by step, you prevent phishing on behalf of your organisation without trapping legitimate emails. Need help reading your reports, adjusting your DNS or analysing error messages? Let us know. We are happy to think with you once or structurally.

And want to watch the webinar recording back? LINK
Want to start a trial of the tool we like? LINK