In October 2017, the Department of Homeland Security mandated that federal agencies use the Domain-Based Message Authentication, Reporting and Conformance protocol. DMARC enables email servers to determine whether an email is actually from the sender, then deletes forged emails or marks them as spam. Without it, anyone can send emails with a forged sender address, and recipients would be unaware of the forgery.
Some DMARC requirements were due for adoption in January; others have an October deadline. Recent reports indicate that many agencies are not yet using the protocol or don’t have it configured correctly. Here are some tips for how your agency can get up to speed with DMARC:
1. Do an Initial DMARC Deployment in Report-Only Mode
DMARC uses your existing servers, so deployment is usually not a burden. To support it, you will need to configure your email servers and possibly add a few features. You will also need to add records to your DNS servers. Each DMARC resource record specifies how the protocol should be configured for a particular domain.
Each agency domain and subdomain should have its own record. For initial DMARC use, set the policy to “none” (p=none). DMARC will passively monitor all email activity and generate reports on what it observes without interfering with email delivery. See dmarc.org/overview for more details on how to configure DMARC resource records.
2. Verify the Accuracy of the DMARC Resource Records
Errors can have serious consequences, either by allowing forged emails to go unnoticed or by inadvertently preventing genuine messages (often from misconfigured email systems) from reaching their destinations. To verify records:
- Visually check every record for syntax errors, typos and other mistakes.
- Confirm that each domain and subdomain has a record. You may want to use scanners and other tools to help compile a list of domains and subdomains.
- Review the DMARC reports and confirm that they reflect the settings from the resource records.
3. Gradually Change Policy Setting from “None” to “Quarantine”
As you gain confidence in the accuracy of your DMARC implementation, changing the settings to “quarantine” will change DMARC’s behavior, and it will begin to flag emails as spam if it suspects they have forged sender addresses. By making this change slowly, you can reduce the growing pains that come with any new security control implementation, such as responding to user complaints about incorrectly flagged emails.
4. Change Policy Setting from “Quarantine” to “Reject” by October
The “reject” setting is the final step. This setting causes DMARC to fully enforce the policies on the domains and subdomains, blocking emails with forged senders. At this point, your agency should be in compliance with DHS requirements.