In an effort to encourage greater adoption of DMARC, we created this guide to show anyone, no matter their level of technical expertise, how to set up DMARC.
What is DMARC, exactly?
DMARC is a relatively new set of rules that make it easier for brands and mailbox providers to identify spam and phishing emails.
Before diving into who should use DMARC, or Domain-based Message Authentication, Reporting and Conformance, and how to set it up, it may be helpful to know why it was created in the first place.
It’s safe to assume that email’s inventors never imagined that people all over the globe would be sending more than 400 billion emails every day or that almost 300 billion of those messages would be spam or scams according to Talos Intelligence owned by Cisco.
It should also come as no surprise that SMTP, the protocol used to send an email that has been used since the dawn of email marketing, has a few shortcomings. Basically, it’s easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands.
In other words, users couldn’t tell a real message from a fake one, and mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm their users.
DMARC addresses these issues, making it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t. This helps identify spam and phishing messages and keep them out of people’s inboxes, but its value is not limited to email security.
Benefits of DMARC
DMARC helps protect users and brands from painfully costly abuse. It also helps a brand’s email deliverability.
Before we show you how to set up DMARC it is worth highlighting the potential benefits that this minimal effort brings to your organization.
DMARC is mostly used by big companies to prevent spammers and scammers from spoofing their emails. But more and more companies are requiring DMARC implementation in order to reach their inbox. So, if your company sets up DMARC, external providers will consider it as a trust factor, and your delivery rate will be increased.
Email fraud is on the rise. In 2019, the FBI’s Internet Crime Complaint Center recorded 23,775 complaints about business email compromise resulting in $1.7 billion in losses.DMARC reduces such risk close to zero. It was introduced to have a better control over emails. Once DMARC is fully implemented, phishers have a hard nut to crack, trying to impersonate your brand.
Once you set up DMARC, you can spot and identify any phishing attempts. You can identify the source of the threat and ask providers to block the source that is trying to phish data or money from recipients.
Pathway to BIMI
DMARC implementation is needed when you are thinking about implementing a new standard called BIMI. First experiments show that emails with BIMI enabled are more trustworthy. What’s more, an open rate for that kind of email can be 5% higher than emails without that standard.
Next Level Reporting
Tools like Dmarcian or DMARC Digests let their users know if DMARC is misconfigured. What is also important is that the users gain full visibility into how their domains are being used as the email moves through the Internet.
Who should set up DMARC?
DMARC is recommended for almost every email sender.
A proper DMARC implementation is a positive signal to ISPs in terms of email deliverability. It proves that you are trying to ensure a high level of transparency. It also indicates that you are the very sender you claim to be. So, an implemented DMARC is a positive signal for mailbox providers.
Yet there are groups of email senders who can especially benefit from DMARC.
Medium and large companies who rely on email can find DMARC pretty useful. For starters, it helps them bring email analytics to another level. But, what is more important, it protects brands and businesses from having their identity stolen.
This is particularly important for ecommerce, financial services, and all businesses that store customer data and want to protect their brand’s reputation.
How to Set Up DMARC
Please note that DMARC is contingent upon two other security standards: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Without those authentication methods in place, DMARC won’t work. It can replace ADSP (Author Domain Signing Practices) as a way to further verify senders.
This process is outlined on DMARC.org, but we pulled it out here for your convenience. Here’s a link to a five-step list on the DMARC website.
1. Deploy DKIM & SPF. You have to set up at least one.
2. Align appropriate identifiers.
3. Check if all email sending solutions support DKIM and SPF.
4. Start with DMARC policy flags from “none” and as you gain experience, move to “quarantine” to “reject.”
To set up DMARC you can go it alone or use one of the many services that are available on the market. For brands, we strongly recommend using a thirty-party service. Not only do they make setup quick and easy they also provide you with effortless monitoring.
For the purpose of this demo, we choose DMARC Digests but there are a wide variety of services.
Step 1: First, register your account and add a new domain.
Step 2: Go to “Set up DMARC” and copy the values provided there.
Step 3: Go to your DNS provider (we use Cloudflare) and create a TXT record with the values provided in the step above.
Step 4: Go back to your DMARC set-up tool and verify settings.
Step 5: Wait 24 hours. The tool needs to gather data from the various email clients, ESPs and CRMs that you use.
Step 6: After 24 hours, you will get your first set of data.
Step 7: Analyze email sources and look for services that don’t align with DMARC. If you identify those sources, try to figure out the reason why.
In our case, it seems that we have an issue with Mailchimp and Sendinblue. We need to go back to those tools and set up SPF and DKIM, so they will be aligned with DMARC. Once we corrected it, we ran a final test and waited 24 hours to see the results. Success.
DMARC Policy Levels
Once you have DMARC in full alignment, you can then think about strengthening the policy. In other words, you can move from “informative” (none) to “quarantine” or “reject” policies.
This process takes time. To implement the last two policies, you need patience and a better understanding of what each policy means. So, let’s do that. Here’s how to do it and a sample scenario of bringing your DMARC policy to the new level.
DMARC Security Policies
- None – this level was designed to enable monitoring and forensics data only. Your emails do not need the DKIM and SPF alignment;
- Quarantine – when you get to the quarantine level, the emails that are aligned with SPF or DKIM get delivered, and those that are not aligned are sent to spam;
- Reject – when you can implement the reject level, SPF or DKIM must be aligned, emails that aren’t will be bounced by the target email server.
Example Implementation Scenario
- Week 1 and week 2: implement policy “none” (the informative one) to determine if all your email sources are aligned with DMARC standards.
- Week 3: if all your email sources are aligned with DMARC, set a policy to quarantine with 10% of your emails.
- Week 4: if everything is okay, increase the percentage of emails on the quarantine policy to 50%.
- Week 5: Still, monitoring the process is crucial, but if you do not find any issues, increase your quarantine level to 100%.
- Week 8: Wait around 2-3 weeks with the quarantine policy, and monitor the situation. If you do not find any issue, start implementing the reject policy on 10% of your emails.
- Week 9 to 12: Increase the percentage to about 30% each week until you will gain 100% coverage.
- You’re all set!
Optional Next Step: Implement BIMI
Part of the beauty of using DMARC is that it was built to help people get emails and avoid spam. Some of its benefits include fewer false positives, minimizing email delivery complexity, and reducing successful phishing among others.
It also protects domains and brands from being used by phishers and spammers that might hijack your brand to steal data or money from the people who interact with your brand.
Finally, DMARC is needed when thinking about implementing a new standard called BIMI, which we show you how to implement BIMI here.