More and more companies are seeing attempts by outsiders to send phishing or spam mails via their domain name, damaging faith in the company and the company’s brand. False emails are an easy way to steal passwords and credit card details and gain access to user accounts. This is a growing problem for companies, impairing credibility and hindering communication by email.
Make sure the mail your company send is secure by impementing some small validation checks like DMARC and SPF. Both of these options are very easy to implement with a DNS entry.
How DMARC work
DMARC make use of SPF and DKIM to confirm your domain. To create a Key for DKIM simple go into Spamtitan and generate a key. The author Matt Moorehead publish a good blog explaing DMARC in plain english: http://blog.returnpath.com. with this illustration:DNS DMARC Entry
DMARC records are published in DNS with a subdomain label_dmarc
, for example _dmarc.example.com
. Compare this to SPF at example.com
, and DKIM at selector._domainkey.example.com
.
The content of the TXT resource record consists of name=value
tags, separated by semicolons, similar to SPF and DKIM. For example:
"v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dmarcreports@example.com"Here,
v
is the version, p
is the policy, sp
the subdomain policy, pct
is the percent of "bad" emails on which to apply the policy, and rua
is the URI to send aggregate reports to. In this example, the entity controlling the example.com DNS domain intends to monitor SPF and/or DKIM failure rates, and doesn't expect emails to be sent from subdomains of example.com. Note that a subdomain can publish its own DMARC record; receivers must check it out before falling back to the organizational domain record.
DNS SPF Entry
The records laid out below are in typical DNS syntax, for example:"v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all""v=" defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The "ip4" and "a" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected.