howTo:

howTo: Deploy DMARC on a $0 Budget

Miguel Maloney Thompson

01 Jan 2025 — 5 min read

Welcome to our first howTo: guide on deploying DMARC on a $0 budget.
We will walk you through the steps to improve your email deliverability. So if you are just starting to use DMARC or want to explore a possible $0 approach to your present DMARC implementation, look no further.

This guide has been tested and confirmed to work as described. However, please ensure you fully understand the steps before implementation to avoid errors. If you have questions, feel free to contact us at [email protected].

I will skip all the talk and get to the fun part. Read No More Hit and Miss: Why DMARC is Crucial for Email Deliverability if you want to referesh your mind on what DMARC is.

We will first deploy DMARC with a "none" policy to start monitoring email traffic. Once the setup is verified, you can transition to stricter policies ("quarantine" or "reject") to enhance security and email deliverability.

Step 1: Prepare for Deployment

1.1 Understand Email Authentication
Before deploying DMARC, ensure you understand how SPF and DKIM work:

SPF (Sender Policy Framework): Specifies which servers can send emails for your domain.
DKIM (DomainKeys Identified Mail): Verifies that an email’s content hasn’t been altered during transit.

Step 2: Set Up SPF for Your Domain

2.1 Identify Authorized Senders

List all servers and services (e.g., email marketing platforms, web servers) authorized to send emails for your domain.

2.2 Add an SPF Record

Log in to your domain registrar's DNS management portal or your hosting company's control management.
Add SPF as a TXT record, for example:
v=spf1 include:_spf.google.com ~all
- Replace _spf.google.com with your authorized email senders if different.

DNS Management page with SPF TXT record

2.3 Validate the SPF Record

Use a free online tools like MXToolBox to verify your SPF record.

Step 3: Configure DKIM for Your Domain

3.1 Generate DKIM Keys

Log in to your email service, hosting provider or third-party email DKIM service, and generate a DKIM key pair. You may do a search on "DKIM setup" in the manual or search.

Configuring DKIM on Microsoft 365 Configuraing DKIM on Microsoft 365

3.2 Publish the DKIM Public Key

Add the public key as a TXT record or CNAME record in your DNS settings depending on the service you are using.
Example:
Name: default._domainkey
Value: "v=DKIM1; k=rsa; p=publickey..."

DNS management page adding DKIM record DNS Management - adding DKIM record as CNAME on Microsoft 365

3.3 Enable DKIM Signing

In your email service’s settings, enable DKIM signing for outgoing emails.

Step 4: Deploy DMARC with a Monitoring Policy

4.1 Publish a DMARC Record

Go to your DNS management portal.
Add a TXT record with the following format:
Name: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]
- Replace [email protected] with a valid email to receive reports. If you are using a paid DMARC service, you will be provided an email to use. In this example we are using the $0 method so use an email address dedicated to receiving dmarc reports.

DNS management page adding DMARC txt record DMARC TXT record setup in DNS management settings

4.2 Verify the DMARC Record

Use online tools like DMARC Checker or DMARC Inspector to validate your DMARC setup.

Step 5: Monitor and Analyze Reports

5.1 Collect DMARC Reports

Regularly review reports sent to the specified email to identify:
- Unauthorized email sources.
- Alignment issues with SPF and DKIM.

5.2 Use Free Tools for Analysis

Use free platforms like DMARCian, MXToolBox, ZOHO DMARC Report Analyzer and others to interpret DMARC reports and identify improvements.

MXtoolbox - DMARC - Free Analyzer MXtoolbox free DMARC report analyzer

02-Zoho free DMARC Analyzer tool
ZOHO free DMARC report analyzer - Identified Sources

Step 6: Gradually Enforce Policies

6.1 Transition to "Quarantine"

Update the DMARC record p to "quarantine":
v=DMARC1; p=quarantine; rua=mailto:[email protected]
Monitor the impact on deliverability and continue reviewing reports.

6.2 Move to "Reject" (Optional)
Once you are confident that only non-authenticated senders are being quarantined,
update p to "reject":
v=DMARC1; p=reject; rua=mailto:[email protected]
This ensures only authenticated emails are delivered.

01-Zoho free DMARC Analyzer tool
ZOHO free DMARC report analyzer - Graphical Representation

Best Practices for a $0 DMARC Setup

Regular DNS Checks: Ensure records (SPF, DKIM, DMARC) are updated and functioning correctly.
Monitor Reports Frequently: Use the insights to improve alignment and identify anomalies, using the free tools for analysis.
Stay Flexible: Adjust policies based on email performance and deliverability feedback.

We Value Your Feedback!
Have you implemented using our guide?
We'd love to hear about your experience! Share your success stories, challenges, or suggestions at . Let us know if there are specific improvements you'd like to see in our guide!

Have Questions?
If you have any questions or need clarifications, don't hesitate to reach out to us at . We're here to help you secure your systems.

Thank you for helping us improve and supporting our mission to make cybersecurity accessible for everyone!