The Ultimate DMARC Project Guide

Date published: 2018-05-31
Last updated: 2022-08-17

The Ultimate DMARC Project Guide is a comprehensive project guide for successful implementation of DMARC email authentication. The guide addresses key risks, tasks, outcomes and communication requirements for an organization to consider when implementing DMARC email authentication.

What are key DMARC project implementation risks?

The key DMARC project implementation risks include, email interruption, negative impact on email domain reputation which leads to email being classed as SPAM or Junk and ultimately blocked from delivery and the biggest cyber threat stems from the false positive that cyber criminals will exploit to undertake ransomware and malicious cyber-attacks.

Implementing a compliant DMARC DNS entry that protects a domain from SPOOF attack to reduce organizational cyber risk, will adversely affect email delivery as well as your email reputation if implemented incorrectly. To understand more about this risk when implementing DMARC email authentication read the following post: How does DMARC affect Email Reputation?

The lesser known of the key risks and the update to this project guide is the false positive that can be easily achieved when mail servers assess email authentication. Essentially if mail servers do not assess a DMARC implementation to the highest level and a domain operator implements DMARC to a substandard outcome then the mail servers will pass the email as authenticated and trustworthy when infact it may not be. DMARC can be spoofed as our founder David Barnes shared in 2018 on SourceForge.net. If the domain is spoofed with malicious intent then the mail servers will still pass the 3 checks giving a false sense of security whereby the recipient is 5 times more likely to interact with the email. These interactions have been proven to be more devastating due to the assumed levels of trust associated with the false positive.

To mitigate the risk of successful ransomware attacks or other attacks that start with email compromise simply use Trusted Sender Network and do not risk a bad implementation of DMARC email authentication.

DMARC Project Overview & Getting Started

We often get asked how to implement DMARC so that business is not interrupted by email delivery issues and your email reputation benefits from the protocol and your organization’s staff and brand are protected from Phishing and SPOOF attacks.

The purpose of DMARC and the reason why it is mandatory to implement the authentication, is that your email domain will be protected from being used in a SPOOF attack using your domain. It is important to note that only when the DMARC record is set to reject or quarantine, which must cover 100% of the host domain and subdomains, there is no exception. Using the subdomain options that the DMARC configuration allows for is primarily during the first and second phases of the project and is really for enterprise level organisations that have subdomains for different countries or purposes.

For most organisations, reaching a compliant and protected position will take longer than expected due to the number of applications that send emails. Each application that sends email, for example any desktop application, server or mobile app must authenticate the email. If authentication fails the emails will not be reach the recipient once you issue a p=quarantine or p=reject record. It is therefore vital to approach a DMARC project in a logical manner progressing each phase using a step-by-step approach.

The DMARC record that you should aim to have is:

v=DMARC1; p=reject; rua=mailto:zuluedm@au.zuluedm.com; ruf=mailto:zululabs@au.zuluedm.com; fo=1; aspf=s; adkim=s;

There are variations however most organisations we assist and route email for end up with a result similar to the record above. Forensic reporting is turned off to reduce waste and capacity issues when things settle. You may turn on the reports back on if you are debugging or require more information than provided in the summary reports.

When an email from your domain is sent, the record above is the set of instructions for the receiving mail server to abide by. Therefore if set to reject then no SPOOF email will reach recipients.

The email addresses listed in the example are for Trusted Sender Network users with which includes comprehensive DMARC analyzer which is now enhanced by a step by step user wizard for the perfect DMARC implementation outcome. To access the tool visit https://trustedsendernetwork.com.

The Ultimate DMARC project guide timeline

The two email addresses in the DMARC record are the instructions to mail servers as to where to forward DMARC reports. DMARC reports are critical for achieving compliance an minizing the emnail interuption risk.

Key Steps in a DMARC Project

Once the DMARC record is set we recommend waiting a week and then begin the project phases, with 1 being the start and the last task in Phase 4 being the completed implementation. Tasks in phase 1 & 2 can (and should) run concurrently with phase 3.

The timeline diagram below provides a guide as to the linear progression that the project should take.

1.) Report analysis and planning

The first step before configuring your DMARC record is to answer the following questions:

1.) Where will the DMARC reports be sent to and how will they be rendered?

DMARC reports can contain hundreds of thousands of items which will be sent from the receiving email servers (Gmail, Outlook etc) to the email address listed in the DMARC DNS record. The report email address is set using rua=mailto:zuluedm@au.zuluedm.com. Reports are sent via email to the address listed attached in XML format.

2.)Is our mail server inbound compliant? If not then you will not be able to protect your users (staff for example) from SPOOF and Phishing attacks?

If not then you will not be able to protect your users (staff for example) from SPOOF and Phishing attacks. You then have decisions to make. We recommend putting in the DMARC record and having your main alternative email gateway configured and ready to route mail before you consider changing.
DMARC effects all email DMARC is more than just a DNS entry

The Zulu eDM SMTP Email Gateway (no longer availab to the public) has traditional SMTP settings and our more advanced API. Having both options is essential for this project.

If not then you will not be able to protect your users (staff for example) from SPOOF and Phishing attacks. You then have decisions to make. We recommend putting in the DMARC record and having your main alternative email gateway configured and ready to route mail before you consider changing.

The Zulu eDM SMTP Email Gateway has traditional SMTP settings and our more advanced API. Having both options is essential for this project.

Once you have those questions answered you need to then have access to the following:

  • MX, SPF, DNS & DKIM checking tools
  • DKIM (domain key) Key Generator
  • Access to your domain’s DNS
  • Access to your email server platform

Now you are all set and ready to add your first DNS entry. Log into your DNS and add the following.

 _dmarc.yourdomain.com in TXT
v=DMARC1; p=none; rua=mailto:zuluedm@au.zuluedm.com; ruf=mailto:zululabs@au.zuluedm.com; fo=1; aspf=s; adkim=a;

You should experience no interruptions and have your reports pointing to the Trusted Sender Score DMARC Reporting application. Forensics is simply the original mail headers with no analysis. The report contains the pass/fail data.

Sit tight, we recommend for about 1 week until your DMARC reports start to be received. In the meantime it’s time to get your servers ready. If you are using GSuite or Outlook you must install DKIM. This is because for all apps like Calendar etc the email is routed via MTA’s and not the MX, so DKIM and SPF records are vital.

Next is the vital email gateway that will handle your reputation management, delivery of campaign and burst mail, notifications, invoices and any application email you need to route. There are only 2 providers that we know of that provide reputation management with email delivery, DYN DNS (Oracle) and Zulu eDM Campaigner.

We understand the Oracle pricing starts at $5,000 USD per month. The Zulu Professional Campaigner starts at $165 USD per month.

Your DNS settings are available from your Zulu eDM account and you can use the Zulu DNS Checker to verify your set-up.

Trusted Sender Score provides a free DMARC reporting tool for all Trusted Sender Email clients and Zulu eDM campaign manager users.

2.) Configure applications to send authenticated email

Now you have your 2 email gateways configured it’s time to work your way through each application that you know sends email and configure them to use the compliant gateways.

It is important to note that single check DMARC can be spoofed and therefore domains that use email routes that are configured for single check only authentication can be SPOOF’ed and are untrustworthy. You can read the findings by our CEO, David Barnes on SourceForge.

There will be a lot of headaches if you have invested in API development for email routing. Google and Amazon will not permit any SMTP ports and this is a huge hindrance for implementing DMARC. Thankfully we permit both styles of emails sending, API based and SMTP settings.

3.) Organization Ready

There are 5 key aspects to preparing an organization for DMARC Anti-SPOOF compliance which include:

Internal awareness: making staff and key stakeholders aware of business email compromise attacks, what to look out for and what steps you are taking to protect the organisation internally and the steps being taken to externally.

External communication: Split into project and post project tasks. There are two key timelines. The first is ensuring the web site is update with an Anti-SPOOF policy and that receivers of your email understand you have begun the project. This may offset some possible liabilities that may arise during this time. Post project the policy must be updated, clients and suppliers must also be made aware that you are protected and complaint.

Legal agreements:Contracts, terms of trade, conditions of use, commercial agreements, franchise agreements and any other process that email is attached to must be thought through and then formalised. For example, contract termination in writing (via email).If the third party is not compliant and therefore their email fails to reach your email servers, who is responsible and what will the outcome be?

Visibility Tools for staff to be able to understand which domains that regular business is conducted with, are protected or not. What are the procedures and actions that must take place if a client or member of the public is attacked with your domain during the DMARC Compliance Project. Indeed what and how do you communicate to people that claim they have been attacked after you become compliant.

Protection Turning on inbound protection (checking for DMARC) is as important as securing the domain itself. Google’s GSuite and Microsoft’s Outlook have Anti-SPOOF settings which allows you to configure your inbound email protection against SPOOF and Phishing email. This is referred to as inbound protection. You will notice a significant decrease in SPAM and Phishing emails reaching your incard when you turn on the protection.

4.) Post project

Once DMARC is deployed and your organization is compliant, there are ongoing management and technical tasks that you should be aware of. Depending on the volume of email and how reliant your organization is upon email as a sales and marketing tool, will determine the resourcing requirements (if any).

DMARC Reports: It is essential that these reports are at least monitored to ascertain if your brand / domain is being used (or attempted to be used) illegally. This can hurt your domain reputation and could be used to impact your business if malicious.

Domain Reputation: The marketing and sales teams must be aware that a poor domain from too much untargeted or non SPAM compliant email effect your email reputation. This affects all email, not just marketing related email. Tools like Zulu eDM automated reputation manager does much of the hard work.

Customers and suppliers:Ensuring you know which customer or supplier is compliant and have tools so that staff can easily check if the need arises is important, so too is advising the related party if you do receive a suspicious email.

Summary

A DMARC project is often underestimated and to achieve the outcomes that will secure your information, risk, brand and stakeholders it is important to understand that this project will change organizational behaviour and effect not just your staff but people external to your organization.