The ever-evolving internet and its drastically increased usage since the onset of the pandemic have increased the landscape for hackers, impersonators, and threat actors to get into the organization domains. As threat actors are learning new and sophisticated ways to attack, so are we to provide a shield with DMARC deployment.
One small hack can drastically put a question mark on the very reputation and credibility of your brand. The goal of DMARC is to build a system of senders and receivers that will mutually collaborate to improve the authentication practices of the senders and enable receivers to reject illegitimate messages.
Why does BETTER email authentication start with DMARC deployment?
‘42% of customers are less likely to engage with a brand after being phished by an attacker posing as that organization.’
DMARC can give your brand a considerable level of immunity from these malicious indictments explaining why you need to deploy DMARC today!
- Better Security – With DMARC you can protect your customers from spam, fraud, spoofing and phishing by simply blocking unauthorized access to your domain.
- Improved Visibility – You can easily get comprehensive information about who (and/or what) across the vast internet is sending an email using your domain.
- Brand Protection – You protect your customers and they will do everything to protect your brand. It’s always better to have the best defence in place to protect yourself from identity theft and targeted attacks.
You might want to know more about DMARC: https://www.tikaj.com/blog/dmarc-need-of-enforcement-in-financial-institutes/
Hit the security mark by DMARC
Wondering how to deploy DMARC easily? Sit back and let’s begin.
Step 1: Setting up the Sender Policy Framework
- Gather all the IP Addresses that are used to send email from your domain including Web Servers, In-office mail servers, ISP’s mail server, Any third-party mail servers.
- Make a list of both your sending and non-sending domains.
- Create an SPF record in .txt for each domain using a text-editing program (i.e. Notepad, Vim, Nano etc)
- Publish your SPF records to DNS or ask the administrator to add them if you aren’t managing your DNS
- Once the record is added to DNS, check it using an SPF Check tool.
Step 2: Setting up the DomainKeys Identified Mail (DKIM)
- Choose a DKIM selector, it should be a simple user-defined text string that will be appended to the domain name to help identify the DKIM public key.
- Generate a public-private key pair for your domain. For instance, Windows end-users can use PUTTYGEN, Linux and Mac end-users can use ssh-keygen
- Create a new record through your DNS management console using the public key from the above pair and publish the new txt record.
Step 3: Setting up DMARC
- Ensure you’ve correctly set up the SPF and DKIM
- Create a DNS record, the txt DMARC record should be named similar to “_dmarc.your_domain com. ” If you manage the DNS of your domain, create a “p=none” (monitoring mode) DMARC record in the same manner as the SPF and DKIM records.
- Test your DMARC record through a DMARC check tool.
Step 4: Enabling DMARC Reporting and Monitoring
- The report is an XML file that includes, count of messages from each IP, what steps were taken per the DMARC policy, SPF results of these messages, DKIM results of these messages.
- The report shows domain owners how many fraudulent messages are using their domain, where they are coming from. Whether they would be stopped by “quarantine” or “reject” policy.
Step 5: DMARC Enforcement
- It might take your organization to be in monitoring mode for a long time before moving to the “quarantine” zone. But once you are confident that your inventory has authorised senders mapped you can move.
- Log in to your DNS server and search for the DMARC record.
- Open the record for the specified domains and update policy from “p=none” to “p=quarantine”
- Add the flag “pct” (percentage of messages subject to filter)
- Once you have reached 100% filtering, you’re ready to move “p=reject” to the HIGHEST level of enforcement level.
Step 6: DMARC Reject Policy
- Open the DMARC record through your DNS console.
- Change “p=quarantine” to “p=reject”
- Save the record
Bonus tip: It’s especially important to continue to monitor at this stage to ensure that legitimate emails are not being rejected and deleted.
Remember these as you sit to blast off your email authentication journey!
- Document a deployment policy that you can share with the stakeholders.
- Reach out to a DMARC support provider if DMARC tasks are too overwhelming.
- Communicate new findings from the DMARC report as soon as possible.
- Update your SPF record with newly discovered legitimate senders.
- The percentage of the “pct” flagging should increase gradually.
- In the reject policy, all emails that fail the DMARC check will be blocked/deleted and the email server will never get to know about it, so be sound when to you apply reject.
Read more on how to Increase security for forged spam with DMARC https://support.google.com/a/answer/2466563?hl=en