How To Safely Get DMARC Fully Configured

Late last year I had a new project for STK Promotions to build out this new store for Peacemaker Project 703. As part of that build we setup a new domain which also meant needing to setup new mail senders from the store. Well, really we needed more than that and I took the time to ensure that over a few weeks I got DMARC properly setup and running. This then extended to a couple of other domains to where now they are dialed up in aggressiveness and seeing fake senders actually get Quarantined or even rejected. This process took both time and a solid understanding of what was going to be sending on the domain’s behalf. Here is a quick write up on how I sorted through it all

DMARC Configuration: Start Monitoring

Before you can do anything to configure DMARC, you have to first go about identifying what is sending on your behalf. This may “seem” obvious but some it might be useful to run a tool. I chose to use DMarcian for this as it was free for 2 domains and easy to use. Simply add a domain with the DNS record it gives you for monitoring it. It will look something like this.

v=DMARC1; p=none; rua=mailto:[email protected];

This will simply start sending the data once a day to the service so you can see who is sending for that domain. Bear in mind you need to let this run for a bit. In the case of the Peacemaker Project 703 store, I went and started configuring all the additional services for email marketing, WordPress/WooCommerce order updates, shipping, and even a service for product review reminders. Once you let this run you will get a list of all those things you either configured or maybe didn’t know about. It will start to look something like this

DMARC Configuration: Configure Sender SPF/DKIM

Now that you have a solid list of services sending on your behalf (and you might find some that are NOT yours!) which is the purpose of all this work, you need to see which ones support SPF and/or DKIM. Now some support both for custom domains, others may support one or the other. You need to research each one, and in my case one service (Shipstation) did NOT support anything. So I had to determine how to send shipping info without using their built in emails. That way I could remove them from the senders list over time.

Once you work with each vendor you want to keep and provide authenticated email you will modify your DNS according yo each vendors instructions. As I said you may be able to use both SPF/DKIM, but I also found that DKIM configuration “trumps” SPF in some cases. You will continue to run the DMARC in monitor mode until you basically see that all your senders are “green” with the sending frameworks

Now you can see when things start to align from your configurations in DNS. Again this takes time, days or even a couple weeks since the data is only processed once a day. In the case where SPF is not capable or there is 0% alignment, from what I have seen as long as DKIM is 100% you are still able to move on to the next step of cranking up the security.

DMARC Configuration: Dial Up The Settings

The DMarcian service has a great Policy Planner tool to help you move this up. It starts by checking percentages against the policy from 1% and then in increments. You use the policy generator to get the suggestion and simply update your DNS accordingly. This is where the magic starts to happen as you being quarantining messages NOT sent from your authenticated domain services. It will start out low and the percentage will grow over time as you recheck the planner tool and it uses the past data to make suggestions. Currently one of my domains is up to 75% confidence and soon the planner will move it from Quarantine to REJECT

v=DMARC1; p=quarantine; pct=75; rua=mailto:[email protected]; ruf=mailto:[email protected];

You have to keep checking your data and re-running the policy tool, again over a few weeks. Eventually you will start to see issue like this.

This is exactly what you want to see. Those threats were not my domain and in fact not allowed to send as the domain. While they were not “Rejected” yet on the settings they were in fact quarantined out and eventually will be dialed up to “reject” completely.

DMARC Configuration: Conclusions

My experience with DMARC has been that it does work well, BUT you need to spend some time understanding all your sending sources. For larger companies this could be a lot of services. Even for this one store it was five, than came down to only four once I had a service that could not comply with SPF/DKIM. Also while all these things work together and you can have SPF and DKIM setup without the DMARC records you won’t have the data and the ability to use the information. Everyone should be using SPF or DKIM but also I think everyone can benefit from DMARC if implemented properly and with the care taken to do so.