DMARC is part of the protection against spoofed emails. If it is insufficiently configured or missing, it may be possible for an attacker to send spoofed emails.

What can happen?

Spoofing can be used to trick people into giving up sensitive information and spreading false information that may damage the reputation of the vulnerable part.

Remediation

Compile the policy

The policy consists of multiple tags.

Tag NameRequiredPurposeSample
vrequiredProtocol versionv=DMARC1
prequiredPolicy for domainp=reject
spoptionalPolicy for subdomainsp=reject
ruaoptionalReporting URI of aggregate reportsrua=mailto:report@example.com
pctoptional% of messages subjected to filteringpct=25

The full list can be found here.

The value of v should always be DMARC1, so you don’t need to do anything more with that one.

p can differ between nonequarantine and rejectNone is no action taken at all and can be recommended to start with to make sure no important email gets rejected. You should eventually change this to quarantine or reject so the policy has some effect. sp is the same thing, but for all subdomains.

pct is the percentage of emails you want to be affected by the filtering. This can be skipped, but some prefer to use it in the beginning to make sure not all emails are rejected in case something goes wrong with the configuration.

rua is what is special for DMARC. It has a report functionality, which means that you can receive a report on how your emails have been treated. This way, you can see if someone is abusing your domain to send forged emails, if you have misconfigured something, etc.

Apply the policy

Go to your domain manager and create a new DNS record:

  • As hostname enter _dmarc. The record should be placed at _dmarc.[yourdomain], e.g., _dmarc.example.com.
  • As value, just enter the policy previously compiled.
  • If there is more than one name field (one being the hostname), it is only used to help you separate the records and can hold whatever value you find appropriate.

Example of what it looks like to add the record in CloudFlare's interface.

 

Resources


Related articles