Use DMARC to Increase Security – Consulting Help

Proper use of the SPF and DKIM email authentication controls allows you to also enforce the DMARC control to significantly increase your email security posture.

Adopting the desired DMARC reject mode allows you to help prevent external parties from sending spoof emails from your email domain to anyone else on the internet.  Without this, those emails are likely to be delivered to the recipients, causing brand and/or financial damage, or worse.

A DMARC monitoring tool will help gain visibility of all the email systems sending email from your domain (eg: Valimail), and this allows you to move through the DMARC modes:

  • Report Mode
  • Quarantine Mode
  • Reject Mode

Start in Report Mode and add the required public DNS entry to instruct recipient mail platforms to supply the DMARC tool with envelope information.   This allows analysis of any legit sending systems, and fine tuning of SPF and DKIM, to safely move through to Quarantine Mode, and then Reject Mode.

DMARC DKIM SPF

The SPF record must be valid to start with, and use the -all construct.   Then DKIM Keys should then be enabled for all supported platforms.

The final tricky step is to ensure all valid email sending systems that allow a custom sending domain to be sent that matches your domain – this is a hidden field in the message header, but an important one.  This is called alignment.   Alignment is the final hurdle that often stops organisations from moving to the DMARC Reject mode.

Not all platforms honour the intent of DMARC Reject mode, and still allow the mail in – Office 365 is one.   Google and most 3rd party mail gateways will honour the control and reject the email.   Therefore we recommend also setting an Office 365 EXO Transport Rule to enforce the rejection of incoming emails that fail the DMARC control for your email domain.

We can help you implement SPF, DKIM, and DMARC properly – they are all free security controls, and very effective when used together.   If you are on Office 365, we like to enable the DMARC Reject transport rule initially in Listen Mode and send Incident Reports to a shared mailbox – so you can see what is being picked up – usually sobering viewing!