DMARC along with SPF and DKIM protects you against spoofing and phishing. It is an additional layer of security that authenticates mail senders by using the DNS records to check for authorization to permit email communication from your personal domain. This ensures that the destination email server trusts the messages or emails being sent from your domain.
How does DMARC protect email in Office 365?
The email messages generally contain sender and receiver addresses. These addresses are used for the following purposes:
“Mail From” address contains the sender details and tells the server where to send the non-delivery notices in case of any problem with the email delivery. This is called the 5321.mailfrom address and is not displayed by the sender mail application.
“From” address contains the details of the author of the email. This is called the 5322.mailfrom address and is displayed explicitly in the email.
The SPF performs the authorization checks against the 5322.mailfrom address by using a dns txt record. The 5322.mailfrom address is not authenticated by SPF itself. Hence, there becomes a possibility of spam and phishing emails entering into your personal domain. But if DMARC is used, then the check is also performed against the 5322.mailfrom address and hence your personal domain becomes more secure from phishing and spam attacks.
What is DMARC TXT record?
The record for DMARC is similar to the DNS record for SPF. It is a dns text (TXT) that validates the “From” address as well to validate the authenticity of an email by verifying its IP address against the sender domain owner. The DMARC TXT records are published in the DNS. Using the DMARC TXT the destination email server can authorize the emails as well. An example of Microsoft’s DMARC TXT record is shown below:
_dmarc.microsoft.com. 3600 IN TXT “v=DMARC1; p=none; pct=100; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; fo=1”
Where ‘v’ defines the version, ‘p’ defines the policy, ‘sp’ defines the subdomain policy, ‘pct’ defines the percentage of bad emails on which the policy ‘p’ is applied, ‘rua’ contains the URI to which aggregate reports are sent.
How to implement DMARC in Office 365
For inbound emails, DMARC capability is active by default. If you are not using custom domains for emails in Office 365 then you don’t have to set up DMARC for outbound emails as well. For custom domains you can manually setup DMARC by following below steps:
1) Identify valid email sources for your domain: If SPF setup has been done on your domain then you can skip this step. For DMARC requirements additional to those for SPF setup include determining the IP addresses and third-party domains that can send emails from your server.
2) Setting up SPF in Office 365: Once you have finalized the list of authentic senders then you can set up SPF for your domain. You can also add or update an existing SPF TXT record.
3) Setting up DKIM in Office 365: With the help of DKIM you can add a digital signature to the email messages. Using the default DKIM configuration can lead to DMARC failure.
4) Create DMARC TXT record for Office 365: You can create the DMARC TXT record for your domain as per the format shown below:
_dmarc.domainTTL IN TXT “v=DMARC1; pct=100; p=policy