DMARC: Tips for Planning and Implementation

Tips for DMARC Implementation

  • Always start at policy level “none’ to confirm that SPF and DKIM are set correctly.
    • This allows an organization to take into account any 3rd party authorized systems sending on behalf of the organization, by analyzing incoming DMARC aggregate reports.
    • Check DKIM key size support with DNS provider.  Not all DNS providers support 2048, but all do support 1024.
    • NOTE: This policy level does not provide protection against email impersonation.
  • Once you are sure all email senders you use are properly authorized, move to a policy of “reject”.
  • Use proper syntax:
    • TXT record name must start with ‘_dmarc’.
    • Ensure there are no typos.
    • Use correct and only one policy level (none, quarantine or reject).
    • Check spacing between commas and semicolons for all three protocols.
  • Take into account how subdomains are treated with DMARC policies.  By default the ‘p’ tag applies to top level and all subdomains. If the ‘sp’ tag is added, then you can control the policy level for subdomains. Items to consider:
    • If you have multiple subdomains and are ready to move the top-level domain to quarantine/reject, then consider creating a DMARC policy for subdomains.  This way the top-level domain DMARC policy does not impact the subdomains until they are ready for quarantine/reject.
    • If you do not have subdomains, then add ‘sp=reject’ to your top level domain policy.
  • Implement DMARC policies of “reject” on domains not in use for email messaging. This will prevent anyone from using those domains.
  • If you have multiple domains, the DMARC reports can be sent to one domain, e.g. allow example.org to receive DMARC reports for example.com.  Just create an additional DNS TXT record to allow the domain to receive those reports. Information on how to do so can be found here.