Configure DMARC For Exchange Services
As of previous blog we were talking about the email security using DKIM, on this blog we will be talking about how we can configure DMARC for exchange services. That be Exchange on-prem or Exchange online, Hence let’s know about DMARC first.
DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance is an email protocol; that when published for a domain; controls what happens if a message fails authentication tests (i.e. the recipient server can’t verify that the message’s sender is who they say they are). Via those authentication checks (SPF & DKIM) messages purporting to be from the sender’s domain are analyzed by receiving organizations and determine whether the message was really sent by the domain in the message. DMARC essentially handles the question of what should happen to messages that fail authentication tests (SPF & DKIM). Should they be Quarantined? Rejected? or should we let the message through even if it failed to prove it identify? Long story short, DMARC acts as a gatekeeper to inboxes and if setup properly can prevent phishing and malware attacks from landing in the inbox.
What are the benefits of DMARC?
There are a few key reasons that you would want to implement DMARC:
-
Reputation Publishing a DMARC record protects your brand by preventing unauthenticated parties from sending mail from your domain. In some cases, simply publishing a DMARC record can result in a positive reputation bump.
-
Visibility DMARC reports increase visibility into your email program by letting you know who is sending email from your domain.
-
Security DMARC helps the email community establish a consistent policy for dealing with messages that fail to authenticate. This helps the email ecosystem become more secure and more trustworthy.
How DMARC looks like?
DMARC are specifically TXT record that we update in our public DNS. Simply it looks like this:
1 |
v=DMARC1;p=reject;rua=mailto:exgadmin@pdhewaju.com.np;aspf=s |
where,
v |
DMARC1 |
Version |
Identifies the record retrieved as a DMARC record. It must be the first tag in the list. |
p |
reject |
Policy |
Policy to apply to email that fails the DMARC test. Valid values can be ‘none’, ‘quarantine’, or ‘reject’. |
rua |
mailto:exgadmin@pdhewaju.com.np |
Receivers |
Addresses to which aggregate feedback is to be sent. Comma separated plain-text list of DMARC URIs. |
aspf |
s |
Alignment Mode SPF |
Indicates whether strict or relaxed SPF Identifier Alignment mode is required by the Domain Owner. Valid values can be ‘r’ (relaxed) or ‘s’ (strict mode). |
How do we Publish DMARC?
When we publish DMARC on our public DNS we need to have specific value as designed above or you can just use this tool
https://mxtoolbox.com/DMARCRecordGenerator.aspx
or
https://dmarcian.com/dmarc-record-wizard/
Once you get the value, now you can fill as of below:
Record Type: TXT
1 2 3 4 5 |
Hostname: _dmarc Value: v=DMARC1;p=reject;rua=mailto:exgadmin@pdhewaju.com.np;aspf=s (as you have created with above tool) TTL : 3600 |
Also, this video could be quite useful to understand DMARC sourced from YouTube.