Domains Without DMARC Declaration

DMARC policies allow the opportunity to advice external email services how to handle spoofed email for your domain

Details ¶

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a configuration tool that helps domain owners manage how their emails are handled by external email servers. It provides instructions for external email services to handle emails claiming to be from your domain that fail Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM) checks. By including a suitable DMARC policy you adverise explicit instructions to third parties as to your SPF and DKIM status and can advise that spoofed emails be quarantined or rejected.

Our recommended DMARC implementation follows a complete setup of SPF and DKIM records, ensuring that legitimate emails from your email service provider are fully provisioned and that both SPF and DKIM records are available on your DNS servers. Once complete we suggest implementing a DMARC entry confirming rejection of any emails that fail DKIM or SPF checks. This way spoofed emails are outright rejected, defending your domain’s reputation and providing a clear differentiation in handling between your legitimate emails and spam.

Remediation ¶

Implementing DMARC requires adding a TXT record to your domain’s DNS settings, which instructs external email servers on how to treat emails that fail SPF or DKIM checks. Although the implementation process for DMARC is straightforward, it requires an accurate understanding of your current SPF and DKIM compliance and that both of these protocols are correctly implemented and functioning.

Having the full recommended DMARC policy in place means you need to have both a functioning and published SPF record as well as an operational DKIM record. Accurate setup is critical to ensure that all emails sent from your domain adhere to the defined policies and aren’t mistaken for spam and therefore rejected.

Our full recommended DMARC policy is included below where:

• The version for the record is set to DMARC version 1 (v=DMARC1)
• The policy is for any failures to be rejected (p=reject)
• The alignment for DKIM failures is to adhere strictly to the rejection policy (adkim=s)
• The alignment for SPF failures is to adhere strictly to the rejection policy (aspf=s)

v=DMARC1; p=reject; adkim=s, aspf=s;

SkySiege Cloud Assessments detect DKIM, SPF and DMARC failures as standard, so rather than scanning through all your domains to find issues our systems can find them in minutes and perform a number of checks alongside an assessment of the rest of your cloud infrastructure. Get in touch with SkySiege to discover the state of your email deliverability: