This process can take weeks or months, depending on the size of your organization (bigger = longer). So it’s best to get started right away.
This article is a surface-level guide to give you some insight into the basic process. For a more in-depth, step-by-step tutorial, we invite you to download our comprehensive DMARC and BIMI guide. Note that every DNS service and provider uses different interfaces and processes for setting these records. We recommend contacting your provider for additional assistance.
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication, policy, and reporting protocol that allows organizations to protect their domain against unauthorized use — including spoofing and phishing. Before you can qualify for a VMC, you must first ensure your organization is compliant with DMARC.
What you’ll need
Before you get started, make sure you have:
- A .txt editor (e.g., Notepad++, Vim, Nano, etc.)
- Access to your domain’s DNS records
Note: If you don’t manage your DNS, reach out to your server administrator or service provider. DigiCert is unable to edit these records.
Step 1: Collect IP addresses for SPF
Set up Sender Policy Framework (also known as SPF). This will prevent unauthorized IP addresses from sending emails from your domain.
But first, make a list of all the authorized IP addresses you can find that currently send mail from your domain.
- Web server
- In-office mail server
- ISP’s mail server
- Any third-party mail servers
Don’t worry if you can’t find every IP address yet. DMARC monitoring (step 4) will take care of that for you. But it is good to save yourself some time by gathering as many as you can at this point.
Step 2: Create an SPF record for your domain(s)
- Open your text editor and create an SPF record for each domain.
Example 1: v=spf1 ip4:18.104.22.168 ip4:22.214.171.124 ip4:x.x.x.x -all
Example 2: v=spf1 ip4:126.96.36.199 ip4:188.8.131.52 include:thirdparty.com -all
- Save the file and publish it to your DNS.
- Use an SPF tool (like this one from our partner, Valimail) to make sure everything was entered correctly.
Step 3: Set up DKIM
DKIM is an email authentication standard that uses public/private key cryptography to sign email messages. It prevents messages from being tampered with in transit.
- Choose a DKIM selector.
Example: “standard._domain.example.com” = host name
- Generate a public-private key pair for your domain.
Windows: Use PUTTYGen
Linux/Mac: Use ssh-keygen
- Create and publish a new .TXT record through your DNS management console.
It should look like this: v=DKIM1; p=YourPublicKey
Step 4: Monitor, Communicate & Repeat
Set up DMARC to begin monitoring your current email traffic to give you a solid baseline for what’s approved (and what will eventually be quarantined or rejected by DMARC).
Note: Taking the time to monitor now will prevent important messages from getting lost or permanently deleted once DMARC is fully enabled.
Here’s how to start monitoring your traffic through DMARC:
- Ensure you’ve correctly set up SPF and DKIM.
- Create a DNS record.
The “txt” DMARC record should be named similarly to “_dmarc.your_domain.com.”
Example: “v=DMARC1;p=none; rua=mailto:dmarcreports@your_domain.com”
If you manage the DNS for your domain, create a “p=none” (monitoring mode) DMARC record in the same manner as the SPF and DKIM records.
If you don’t manage the DNS, ask your DNS provider to create the DMARC record for you.
- Test your DMARC record through a DMARC check tool.
Note: You usually have to wait 24-48 hours for replication
DMARC will now begin generating reports that will give you a lot of visibility into the mail being sent through your domain, including any messages flagged by SPF and DKIM.
Important: This is where you’ll find out if any legitimate senders appear in the report who weren’t previously included in your SPF record (step 1). If there are, make sure to update your record accordingly.
The problem? These reports come in a not-so-easy-to-read XML file. And since you’ll be spending quite a bit of time going over the data, we highly recommend using a DMARC report processor (like this one from Valimail) to make it all a lot easier to parse.
Step 5: Socialize, then start stepping up enforcement
After you’ve monitored your mail for enough time that you believe you’ve identified any legitimate messages that are being flagged as unauthorized, it’s time to start stepping up enforcement.
DMARC has two enforcement levels: “quarantine” and “reject.” “Reject” is obviously much more secure, and therefore our ultimate recommendation, but either level will qualify your domain for a VMC.
Before jumping straight to reject, however, the safest bet is to spend some time in quarantine. Here’s how:
- Log in to your DNS server and search for the DMARC record.
- Open the DMARC record for the specified domain and update the policy from “p=none” to “p=quarantine”
- Add the flag “pct” (% of messages subject to filtering). We suggest starting with 10% and slowly increasing the percentage until you’re at a full 100%.
Once you’re at 100% filtering, you’re officially VMC-qualified and ready to start rejecting.
- Open your DMARC record and change “p=quarantine” to “p=reject”