DMARC setup stages


This is a continuation post covering a process to setup DMARC on active domains. Visit A (sane) DMARC setup process for busy email domains to know more about this post series.

Here is a brief overview of the DMARC setup process we will be covering in this post series:

The 5-Stages DMARC Setup process

The 5-Stages DMARC Setup process is composed of the following stages:

  • Stage 1 - Prepare
  • Stage 2 - Survey & adjust
  • Stage 3 - Test & adjust
  • Stage 4 - Protect
  • Stage 5 - Monitor

In summary, we prepare the domain and some tracking tools in the first stage of the process. As we will see, planning and organization is crucial for a smooth deployment of DMARC on busy domains. During this stage all senders are listed, and default DNS record are set up.

In Stage 2 we will be running the domain using DMARC in reporting-only mode. The objective of this stage is to gather as much information as possible about emailing patterns, and authorized server traffic. We also adjust DNS records and server configurations to fix issues uncovered by DMARC reports.

Stage 3 entails setting up the domain in test mode. Here we will use some advanced options of DMARC to try to get feedback from domain users, and use this feedback to refine our DNS records and/or server configuration.

In Stage 4 we finally enable full email domain protection. We still keep checking DMARC and user reports for a while, for last minutes missed servers and other legitimate senders.

Lastly, in Stage 5 we implement an on-going monitoring process to make sure that DNS records are correct, and the domain DMARC configuration doesn't break and leave the domain open to forged emails and phishing attacks.

Example Inc. DMARC deployment diary

Before we start with the 5-Stage DMARC Setup process for Example Inc., we make sure that we have the credentials to update the domain on the DNS host — or that we can reach out to someone that can apply the changes in a timely manner.

Luckily for us, we have full access to the DNS host account so we can do all the changes ourselves.

Lastly, we do a quick check on the DNS zone. We’re most interested in the SPF, DMARC, and DKIM selector records.

During this check we learn that Example Inc.’s domain has a soft-fail (?all) SPF default. DKIM is configured, and based on some test emails and user feedback we see that emails are being signed properly by some senders, but not all. Indeed the domain has a DMARC record set up, however the record has a non restrictive policy (p=none), and no reporting set up — so effectively it is as if it has no DMARC setup at all.

At this point we’re ready to start the 5-Stages DMARC Setup for Example Inc.

Next: Stage 1 — Prepare

Previous PostNext Post