Protect Your Domain Against Spoofing with SPF, DKIM, and DMARC

I have meant to setup DMARC for a long time now. Every time that I started reading about it, warnings about email loss and indecipherable DNS entries put that project a little further down my list. I know this must be true for others as well! A quick DNS check shows that only 5% of the counties in my state are even using DMARC!

DMARC isn’t that scary and by the end of this post, you will have SPF, DKIM and DMARC enabled in your domain. SPF will require a single DNS entry that lists authorized mail servers or sending domains. DKIM will require one or two DNS records. It will also require checking a box to enable DKIM on your email server or provider. DMARC will require just one DNS record, though you will need to modify it once or twice in the future as you go from audit to enforcement mode.

Together, these technologies will help prevent addresses in your domain from being spoofed. Said another way, it will protect others from receiving malicious spoofed email addresses that appear to come from you.

Do I have SPF, DKIM, or DMARC Enabled?

First, head to this link and enter your mail domain name. We are going to be using the Global Cyber Alliance’s website quite a bit in this article. After entering your domain name, you should see something that looks like this:

Chances are, you already have an SPF record that lists your authorized mail servers. SPF records are often created when setting up cloud base email services. DKIM and DMARC are probably not enabled for your domain. At the end of this post, we will talk about why my DMARC result is a yellow check mark instead of a nice happy green one.

If you have found yourself with a few (or all) Red X’s, consider enabling just one service a week. Because DMARC has a testing phase, you will be completely done with this project after a month (though the actual time spent on this project will probably be less than an hour).

How to Enable SPF

From the link above, you can click on SPF (or DKIM or DMARC) and press Next to learn how to enable the service. Each section also includes wizard for generating the required DNS records.

If you accept the defaults for each step, you will see a recommended option that refers to your MX record and uses ~All to enable a soft fail. To contrast this, Office365 will recommend the following:

Either method will work but referring to your MX record will give you one less thing to change in the future if you transition to a new email provider.

After creating your DNS record, you should be able to wait a few minutes and check your domain again. You should see a green check now and other email servers can know if messages from your domain are legitimate by checking your SPF record against the sending mail server.

SPF is not perfect and works better with DKIM/DMARC. When researching SPF, I found this short video very helpful. Now set a reminder for a week from today to continue with DKIM. Or if you are feeling froggy and it isn’t a Friday, read on.

How to Enable DKIM

Where SPF can help validate messages by checking Mail From field on messages, DKIM helps by uniquely signing each message that your domain sends. You will need to do two things to enable DKIM.

First, you will create your DNS entries. These point receiving email servers to your public key. If your email is internal, go through the Global Cyber Alliance’s DKIM guide to create your DNS entries. If your email is hosted, you will need to find out how your provider wants your DNS entries to look.

For Gmail, head here.

For Office365, head here.

Both services will tell you what they want for the DNS record name and for the DNS record value. The result is that you will have one or two DNS records that look like:

Type: CNAME Name: selector1._domainkey Value: selector1-deployhappiness._domainkey.DH.onmicrosoft.com 1 2 3 4 Type : CNAME Name : selector1 . _domainkey Value : selector1 -deployhappiness . _domainkey . DH . onmicrosoft . com

After creating the records, you will need to enable DKIM on your mail server. For hosted providers, this should be as simple as pressing an enable button.

I found this video very helpful when wrapping my head around DKIM.

On the DMARC Guide Global Cyber Alliance website, check your domain again. You should have a green check mark next to SPF and DKIM now. Like before, set a reminder for a week from now. You can also print your resume and start on DMARC.

How to Setup DMARC

SPF and DKIM provide receiving mail servers a way to validate legitimate emails from your domain from illegitimate emails. DMARC tells those receiving email servers how they should treat illegitimate emails. It will also let you see who is trying to spoof your domain.

DMARC is rolled out in either two or three stages. The first stage runs in audit mode. You will create a DNS record that tells receiving email servers where to send your DMARC reports. The second stage will tell receiving servers to mark illegitimate email as junk. The third (optional) stage tells receiving servers to discard illegitimate email at the door. You will still get reports on the second and third stages.

Using an Analyzer for DMARC Reports

Implementing DMARC is a lot easier if you have a tool that can parse and group those reports. Here are two:

You will only need to use one of these tools for the audit stage (which will last a week or two). Both services are free for the first couple of weeks. Both of those tools will also tell you what your DMARC DNS record should look like. If you are interested in how DMARC works behind the scenes, check out this video.

Create your record and wait a few days. You should start seeing message reports popping in. You can review these by source, type or dive into forensic reports.

If your compliance is fairly high after a week or two, you can move away from audit mode (p=none part of your DMARC record) and to either quarantine (p=quarantine) or reject (p=reject). Be sure to set reminders to follow up – too many places are still using DMARC audit mode. Audit mode doesn’t do anything to malicious messages.

If you comfortable with it, you can also stop using your analyzer tool at this point. Create an email address to receive your DMARC reports. You might want to create two or use alias to separate reports (rua=) from forensic messages (ruf=) when you update your DMARC DNS record.

Not Using an Analyzer for DMARC Reports / AKA – The Hard Way

If you don’t want to use one of those tools, you can use the DMARC Guide’s DNS record creator instead. You will need to create a dedicated email address to receive your DMARC reports. It can be helpful to create separate mailboxes for the report type. One mailbox for the reports (rua=) and another for the forensic messages (ruf=).

You will need to monitor the reports that you receive for a week or two. Once you are sure that no legitimate 3rd party email server is sending messages on your behalf, you can change the p=none part of your record to p=quarantine or p=reject.

P=Quarantine Vs. P=Reject

At the very beginning of this post, you might have noticed the yellow check mark for DMARC on my domain. This is because my DMARC record specifies p=quarantine instead of p=reject.

In my wholly unqualified opinion, using quarantine gives receiving email servers a bit more flexibility and gives any legitimate (but DMARC failing messages) a chance to arrive. This decision was based on how Office365 treats incoming messages for all domains. On Office365 domains, Microsoft treats p=reject as p=quarantine. Although this analogy isn’t quite right, incoming and outgoing messages have the same DMARC policy for my domain.

Viewing Message Headers in Outlook

During this whole process, I found the Microsoft Message Header Analyzer Add-in for Outlook extremely useful!

In Outlook, select Get Add-ins (Home Tab) and search for Message Header. Install the add-in, pictured above.

You can now select any message that you have received and press the View Headers button that appeared in your toolbar. To see SPF, DKIM and DMARC details, select the birthday cake icon and scroll down a bit. This tool is also handy when troubleshooting SPAM issues (like finding out why a SPAM email was marked as legitimate).

If you have made it this far and enabled SPF, DKIM and DMARC, congratulations! As I said at the beginning of this post, very few domains make it this far!

You are now in maintenance mode and will need to periodically check your DMARC reports for any legitimate emails that are failing DMARC. If you have any questions about any of these technologies or want to share a tip about setting them up, just leave a comment!