- Bespoke Software Solutions for Your Business
- 07949590972
- info@carboncrystal.co.uk
Protect your business against email fraud.
Thank you for your visit
September 28, 2017Setting up DMARC is easy and Free, and here I explain how you can do it!
How would you feel if your brand gets hijack?
What would happen to your business if your customers receive emails by someone else pretending to be you? What if your customer gets fished? Pay an invoice you did not send? Get infected by viruses and other malware?
The good news is that you can make it difficult for someone else to spoof your emails, or modify them in transit, and best of all, you can do it for FREE! it will not cost you anything!
I attended a talk from the Global Cyber Alliance and was shocked about the number of businesses that are vulnerable to this type of misuse, and probably your is too!.
HOW TO PROTECT YOUR BUSINESS FROM EMAIL FRAUD IN 15 MINUTES
The GCA has put a simple guide to enable DMARC (Domain-based Message Authentication, Reporting & Conformance) on your domain. DMARC is a simple and trusted solution to help protect your business and your customers.
To protect your business, you will need to create three records on your domain host:
I have created a very concise set of instructions, which should be easy to follow. However, if you need extra help, please do not hesitate in contacting me.
Instructions
In my business, I use Google's email servers, and I host my domain with SiteGround (which uses cPanel). With any luck, your company use the same services, but if not, it should not be too different.
For your reference, I followed Google Apps guide for setting up:
What else will you need?
- An email address where you will receive the DMARC reports, such as postmaster@yourcompany.com. I set up a group name (called postmaster) on my google account and subscribed to it. In the future, I can add and remove people to the “mailing list” without having to change the DMARC record.
- Google DNS tool to check propagation of your DNS changes
Setting up SPF
Although SiteGround has a tool to create the SPF record automatically (cPanel > Mail >Email Authentication) I will explain how to do it manually, in case you use a different host.
Please note that you can only have ONE SPF record per domain, multiple records will create issues. However, you can set up a record to handle all of your services.
As per google, your SPF record would be defined as type TXT, and its content: "v=spf1 include:_spf.google.com ~all"
But if you are like me and need to include other services, such as FreeAgent then you need to include it too, and this is how you do it: "v=spf1 include:_spf.google.com include:_spf.freeagent.com ~all"
in other words, you need an “include:_spf.domain.com” statement for each service separated by a space.
So to create the record in cPanel Advance DNS Zone Editor set the following fields:
TTL: 14400 (this is 4 hours)
Type: TXT
TXT Data: v=spf1 include:_spf.google.com include:_spf.freeagent.com ~all
Click “add record”
You can check your settings with the instructions below.
DKIM Record
This one is a little bit more specific to your account.
First, log into your Google Admin console. Then go to Apps > G Suite > Gmail and scroll down to “Authenticate email”
You should see two fields, the DNS Host name ( google.domainkey) and then the value for the TXT record.
You can try with that value, but you may have an issue if your host does not support TXT records longer than 255 characters. If that is the case, click “Generate new record” and select 1024 as your DKIM key bit length resulting in a shorter string.
Before you click on “Start Authentication” you need to set up the DNS record.
Again as above the fields are:
TTL: 14400 (this is 4 hours)
Type: TXT
TXT Data: v=DKIM1; k=rsa; p=bxWXNXYkEHaTgiLiHGim8Zma8NeADuFiCXEnNRhVwhiVyHzsHApkkhaGqxjwCtFHoDVWNBWQLgZLcjPUMCnqoWKwRvTVrs4hGR9kXECdKQteKTiYCdoqtpyvoypHgrympKkPXYC6npmFZmxKDZY8veboMTcdqsWhkVmPhhoRUhFQjBjRHKFLqdQEcLawoNWbcX9BcQfFDGtkjNezVmQozCCg
Finally, go back to your “Authenticate email” window and click on “Start Authentication”.
If successful, the status will change to Authenticating email ✓
A typical error may suggest you wait for propagation.
Your DMARC Record
As I said, for this I ignored google and instead used the tool provided by the Global Cyber Alliance: https://dmarc.globalcyberalliance.org.
The only pre-requisite for this is to have an email address to send the reports (please read above).
So here is how to get your DMARC record:- Type your domain in the box provided. You should see that it will check for your SPF and DKIM records, and have green check marks next to them.
- Select DMARC and click NEXT
- Follow the instructions J
- With policy, start with None. This help to ensure your emails don’t get rejected if you have not accounted for a service which you use. You will get reports for these emails.
- Next, you can specify the email addresses where the aggregate reports will go to
- Same again but for the forensic reports.
- Select None for subdomain policy
- Leave the other optional settings to their default values
You should end up with something like this:
_dmarc.yourcompany.com. IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com; ruf=mailto:postmaster@yourdomain.com; sp=none; ri=86400"
For your DNS record, you should use:
TTL: 14400 (this is 4 hours)
Type: TXT
TXT Data: v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com; ruf=mailto:postmaster@yourdomain.com; sp=none; ri=86400
Hint: you can ignore the tool, and modify the record above and you should be done :D
What the above mean:
V= version
P=profile (options: None, Quarantine, Reject)
Rua: email address for the aggregate reports
Ruf= email address for the forensic reports
SP= settings for the subdomain
RI= reporting interval = 24 hours in seconds.
Congratulations! You did it
Testing
At this stage, you need to test your emails, to ensure they arrive as expected!
Login to your webmail, or use your email clients such as outlook, or mail.app and send emails to your personal email address. Did they arrive or did they get sent to the junk mail?
Do you use a CRM? Set up a dummy customer and send them information
Accounting software? Again, set up a dummy customer and send them an invoice.
How to use G Suite Toolbox Dig
- Type the domain for your company (yourcompany.com)
- Select TXT… you should see your SPF record
- For DKIM use google._domainkey.yourcompany.com as the domain
- For DMARC use _dmarc.carboncrystal.co.uk as the domain.
You should see the corresponding records in the window below.
Summary
You can enable DMARC to protect your business from email fraud.
To do that, you need to create three DNS records using the DNS facility at your hosting company: an SPF, DKIM and DMARC
My SPF record looks like this (I use G Suite for Business and FreeAgent for Accounting:SPF record template
Name: yourcompany.comTTL: 14400
Type: TXT
TXT Data: v=spf1 include:_spf.google.com include:_spf.freeagent.com ~all
DKIM record sample
Name: google._domainkey.yourcompany.comTTL: 14400
Type: TXT
TXT Data: v=DKIM1; k=rsa; p=bxWXNXYkEHaTgiLiHGim8Zma8NeADuFiCXEnNRhVwhiVyHzsHApkkhaGqxjwCtFHoDVWNBWQLgZLcjPUMCnqoWKwRvTVrs4hGR9kXECdKQteKTiYCdoqtpyvoypHgrympKkPXYC6npmFZmxKDZY8veboMTcdqsWhkVmPhhoRUhFQjBjRHKFLqdQEcLawoNWbcX9BcQfFDGtkjNezVmQozCCg
If you use G Suite you can get it from Then go to Apps > G Suite > Gmail > Authenticate email. You may need to generate a smaller length key depending on your host provider. To do so, click on generate key, and select 1024 bit length instead of the 2048.
You need to return here to start authenticating after you create the DNS record.
DMARC record template
Name: _dmarc.yourcompany.comTTL: 14400
Type: TXT
TXT Data: v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com; ruf=mailto:postmaster@yourdomain.com; sp=none; ri=86400
