DMARC is part of the protection against spoofed emails. If it is insufficiently configured or missing, it may be possible for an attacker to send spoofed emails.
What can happen?
Spoofing can be used to trick people into giving up sensitive information and spreading false information that may damage the reputation of the vulnerable part.
Remediation
Compile the policy
The policy consists of multiple tags.
| Tag Name | Required | Purpose | Sample |
| v | required | Protocol version | v=DMARC1 |
| p | required | Policy for domain | p=reject |
| sp | optional | Policy for subdomain | sp=reject |
| rua | optional | Reporting URI of aggregate reports | rua=mailto:report@example.com |
| pct | optional | % of messages subjected to filtering | pct=25 |
The full list can be found here.
The value of v should always be DMARC1, so you don’t need to do anything more with that one.
p can differ between none, quarantine and reject. None is no action taken at all and can be recommended to start with to make sure no important email gets rejected. You should eventually change this to quarantine or reject so the policy has some effect. sp is the same thing, but for all subdomains.
pct is the percentage of emails you want to be affected by the filtering. This can be skipped, but some prefer to use it in the beginning to make sure not all emails are rejected in case something goes wrong with the configuration.
rua is what is special for DMARC. It has a report functionality, which means that you can receive a report on how your emails have been treated. This way, you can see if someone is abusing your domain to send forged emails, if you have misconfigured something, etc.
Apply the policy
Go to your domain manager and create a new DNS record:
- As hostname enter _dmarc. The record should be placed at _dmarc.[yourdomain], e.g., _dmarc.example.com.
- As value, just enter the policy previously compiled.
- If there is more than one name field (one being the hostname), it is only used to help you separate the records and can hold whatever value you find appropriate.
Example of what it looks like to add the record in CloudFlare's interface.
Resources
- Detectify blog: Misconfigured email servers open the door to spoofed emails from top domains
- Google Apps Administrator Help - DMARC
Related articles