How to Use a Dedicated DMARC Analyzer Service to Set Up DMARC with p=reject (Full DMARC Implementation)
This tutorial provides step-by-step instructions on how to set up DMARC starting from p=none, transition to p=quarantine, then to p=reject using DMARCLY, a dedicated DMARC analyzer service.
The tutorial assumes no prior knowledge whatsoever of DMARC or DMARC reports. You only need basic DNS know-how to publish domain records in the DNS.
Why use a dedicated DMARC analyzer service?
Granted that you can manually parse incoming DMARC reports to identify email streams, many companies/IT departments choose to use a dedicated DMARC analyzer service for this purpose.
The reason is simple: while manually parsing daily DMARC reports takes up to days depending on your email volume, a dedicated DMARC analyzer service does this for you in no time.
In addition, a dedicated DMARC analyzer service enables you to look into the data from various dimensions, so that you can identify legitimate email streams and potential threats at a glance.
To use DMARCLY, a DMARC analyzer service, to fully implement DMARC, please follow the steps below.
Sign up for DMARCLY
Navigate to Sign Up for DMARCLY to create a FREE 14-day trial account.
Upon signing up, DMARCLY prepares 2 mailboxes for you to receive DMARC aggregate reports and failure reports. Also, it keeps watching these inboxes and parses them as they come in.
This removes the hassle of your having to set up your own mailboxes to receive the reports, external domain verification (EDV), etc. and ongoing maintenance.
Create a DMARC record
Log in to the DMARCLY dashboard here, the go to: DNS Records->Publish DMARC Record.
Now you will see a page with a default DMARC record created for you already, as highlighted below:
If you are just getting started, you can simply use the default DMARC record. Of course you can adjust the settings on that page and update the record to suit your needs.
We recommend that you publish the record as is, as its settings cover most common scenarios. This sets DMARC under the "monitoring" mode which allows you to start receiving DMARC reports without having any impact on your email streams.
You can always come back later and update the DMARC settings when you get more familiar with DMARC.
Publish the DMARC record
Now publish the DMARC record on your domain in the DNS, so that it's accessible to receiving email servers. To do that, you need to log in to the domain's DNS provider's dashboard to add the record.
Here are a few links to tutorials on adding a DMARC record with various DNS services:
- How to add DMARC record in GoDaddy
- How to add DMARC record in Cloudflare
- How to add DMARC record in Namecheap
- How to add DMARC record in cPanel
Check the DMARC aggregate data
A couple of days later, the DMARC aggregate data should be readily available in DMARCLY's dashboard. Simply log in and go to: Aggregate Reports, then you can view it from various tabs (dimensions).
In the rare case that you are not seeing any aggregate data, check out this post: Why Am I Not Receiving DMARC Aggregate or Forensic Reports?
Go to the Unaligned Sources tab, where it shows all the emails streams that have failed email authentication in the past. You need to go through all the items in the table, identify all the legitimate email streams, and set up SPF and DKIM for them.
For example, the first row in the following table:
shows that SendGrid is the email delivery service (source) for that particular row (email stream), and the emails in this stream are not authenticated.
Now you need to consult your IT department to find out if SendGrid is a legitimate email delivery service for your company:
- if so, set up SPF and DKIM for SendGrid;
- otherwise, leave everything as is: emails delivered by illegitimate email sources will be quarantined or rejected as you transition to the next DMARC modes.
To set up SPF and DKIM for SendGrid, simply Google "SendGrid SPF" and "SendGrid DKIM".
Setting up SPF and DKIM for a particular email delivery service is called "authenticate for that service".
Repeat this process for all other rows in the table.
Transition to p=quarantine mode
Once you've authenticated for all known legitimate sources, you need to wait some time (1+ month) before moving to DMARC's quarantine mode. This allows you to check incoming data to identify more legitimate sources.
Moving to DMARC's quarantine mode is nothing more than updating the DMARC policy to quarantine in your DMARC record in the DNS.
Transition to p=reject mode
If you haven't found any issue in the quarantine phase for some time, you can consider moving to the reject mode. The time it takes before moving to the reject mode depends on the complexity of your organization: the more complex it is, the longer it takes. It typically takes 3+ months, so that you have enough time to identify all legitimate sources in your organization.
It's very important that you authenticated for all legitimate sources before moving to p=reject, as in this mode, all unauthenticated emails will be rejected!
To move to DMARC's reject mode, update the DMARC policy to reject in your DMARC record in the DNS.
From now on, you need to keep monitoring your email authentication status, in case any change in your email infrastructure causes emails from legitimate email delivery sources to not authenticate.
Your development/marketing team can add new email delivery sources, in which case, you need to authenticate for such new sources.
Email delivery sources can also become obsolete, in which case, you need to remove the corresponding SPF and/or DKIM records on your domain, so that emails coming from these sources don't authenticate.
You can use DMARCLY's DMARC Summary feature to receive email authentication status reports in your inbox. By reviewing these periodic reports, you can stay on top of your email authentication status.
Protect Business Email & Improve Email Deliverability
Get a 14 day trial. No credit card required.Create Account