What would happen to your business if your customers receive emails by someone else pretending to be you? What if your customer gets fished? Pay an invoice you did not send? Get infected by viruses and other malware?
The good news is that you can make it difficult for someone else to spoof your emails, or modify them in transit, and best of all, you can do it for FREE! it will not cost you anything!
I attended a talk from the Global Cyber Alliance and was shocked about the number of businesses that are vulnerable to this type of misuse, and probably your is too!.
The GCA has put a simple guide to enable DMARC (Domain-based Message Authentication, Reporting & Conformance) on your domain. DMARC is a simple and trusted solution to help protect your business and your customers.
To protect your business, you will need to create three records on your domain host:
I have created a very concise set of instructions, which should be easy to follow. However, if you need extra help, please do not hesitate in contacting me.
In my business, I use Google's email servers, and I host my domain with SiteGround (which uses cPanel). With any luck, your company use the same services, but if not, it should not be too different.
For your reference, I followed Google Apps guide for setting up:
Although SiteGround has a tool to create the SPF record automatically (cPanel > Mail >Email Authentication) I will explain how to do it manually, in case you use a different host.
Please note that you can only have ONE SPF record per domain, multiple records will create issues. However, you can set up a record to handle all of your services.
As per google, your SPF record would be defined as type TXT, and its content: "v=spf1 include:_spf.google.com ~all"
But if you are like me and need to include other services, such as FreeAgent then you need to include it too, and this is how you do it: "v=spf1 include:_spf.google.com include:_spf.freeagent.com ~all"
in other words, you need an “include:_spf.domain.com” statement for each service separated by a space.
So to create the record in cPanel Advance DNS Zone Editor set the following fields:
Click “add record”
You can check your settings with the instructions below.
This one is a little bit more specific to your account.
First, log into your Google Admin console. Then go to Apps > G Suite > Gmail and scroll down to “Authenticate email”
You should see two fields, the DNS Host name ( google.domainkey) and then the value for the TXT record.
You can try with that value, but you may have an issue if your host does not support TXT records longer than 255 characters. If that is the case, click “Generate new record” and select 1024 as your DKIM key bit length resulting in a shorter string.
Before you click on “Start Authentication” you need to set up the DNS record.
Again as above the fields are:
Finally, go back to your “Authenticate email” window and click on “Start Authentication”.
If successful, the status will change to Authenticating email ✓
A typical error may suggest you wait for propagation.
As I said, for this I ignored google and instead used the tool provided by the Global Cyber Alliance: https://dmarc.globalcyberalliance.org.
The only pre-requisite for this is to have an email address to send the reports (please read above).
So here is how to get your DMARC record:You should end up with something like this:
_dmarc.yourcompany.com. IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com; ruf=mailto:postmaster@yourdomain.com; sp=none; ri=86400"
For your DNS record, you should use:
Hint: you can ignore the tool, and modify the record above and you should be done :D
What the above mean:
V= version
P=profile (options: None, Quarantine, Reject)
Rua: email address for the aggregate reports
Ruf= email address for the forensic reports
SP= settings for the subdomain
RI= reporting interval = 24 hours in seconds.
Congratulations! You did it
At this stage, you need to test your emails, to ensure they arrive as expected!
Login to your webmail, or use your email clients such as outlook, or mail.app and send emails to your personal email address. Did they arrive or did they get sent to the junk mail?
Do you use a CRM? Set up a dummy customer and send them information
Accounting software? Again, set up a dummy customer and send them an invoice.
How to use G Suite Toolbox Dig
You should see the corresponding records in the window below.
You can enable DMARC to protect your business from email fraud.
To do that, you need to create three DNS records using the DNS facility at your hosting company: an SPF, DKIM and DMARC
My SPF record looks like this (I use G Suite for Business and FreeAgent for Accounting:If you use G Suite you can get it from Then go to Apps > G Suite > Gmail > Authenticate email. You may need to generate a smaller length key depending on your host provider. To do so, click on generate key, and select 1024 bit length instead of the 2048.
You need to return here to start authenticating after you create the DNS record.