This document provides an overview of reaching full DMARC protection using OnDMARC. We will be using a single domain and single email service to demonstrate this.

Throughout this article you’ll see we used the personal domain of our very own Jay Singh, OnDMARC’s Digital Marketing Manager, to show each step in detail. We wanted to use this as an opportunity to highlight how DMARC is a fundamental cybersecurity measure for everyone, not just businesses.

So let’s get started!

   Domain      |  Service
---------------|----------
 uksingh.com   |  G Suite

We'll assume that you have already signed up to OnDMARC and start from an empty control panel. 

1. Adding a Domain

This is where you will add the domain you wish to protect, in our case the domain is “uksingh.com”. 

Once you have entered the domain click on Submit and you will be taken straight to the Actions menu where you will see your first actions.

2. Creating DMARC and SPF records

The first Actions shown are to create a DMARC record and a blank SPF record. Both records are TXT records and need to be created in your DNS.

For further explanation on what the tags inside the DMARC record mean check our article below.

The SPF record is a blank SPF record that needs to be created and amended later on when you add sources of email. 

To find out if a domain already has a DMARC or SPF record you can use the command line. The commands used in Windows and Mac OS are shown below. We will later on also demonstrate how to query for a DKIM record as well.

Record | Windows Command Line   |            MAC OS Terminal
-----------------------------------------------------------------------
DMARC  | nslookup -type=txt     | dig txt _dmarc.uksingh.com
       | _dmarc.uksingh.com     |      
-----------------------------------------------------------------------
SPF    | nslookup -type=txt     | dig txt uksingh.com
       | uksingh.com.           |


You can also use our Analyzer which is built into OnDMARC and type in the domain that you wish to query. It will display the current SPF and DMARC records used for that domain.

At this point "uksingh.com" does not contain any DMARC or SPF records and they need to be created. Once the records have been detected by our tool the Actions will disappear as shown below.

At this point the tool is waiting for DMARC reports to start flowing in and will display the next set of Actions afterwards. It may take 24-48 hours for the first reports to be received.

3. Identifying Assets

Legitimate sources of emails that you use are represented as Assets and sources that you do not use or should not be sending emails on your behalf are represented as Threats by OnDMARC. 

In this section we will show you two ways of classifying sources as Assets. The first is by adding known sending sources in advance and the second is by waiting for the first reports to be processed which will show you who is sending on your behalf. 

3.1 Identifying Assets in advance

In our case we are using G Suite as the only source of emails so we can proceed by adding it to OnDMARC prior to receiving any reports.

Go to the Email Sources menu and under Assets click on Add Assets as shown below. 

We can see that G Suite was automatically found as part of our MX records. All we have to do is select it and click Done.

At this point G Suite is added to our Assets table. As it is a well known service its SPF and DKIM parts are automatically populated for us as shown below. For any unknown assets the SPF and DKIM selector parts need to populated manually. 

We can also see the status of G Suite is red. This indicates that SPF and DKIM need to be configured. You can hover over each quarter of the status to find out more information. The top two quarters are for SPF and DKIM respectively as found in DNS, and the bottom two quarters show SPF and DKIM results from the reports. The Assets table is a great place to keep track of your Assets and monitor their status. 

If we go back to the Actions menu we will actually see that an Action has appeared which says that G Suite needs to be configured with SPF and DKIM. It also contains a link that takes us to the instructions for configuring G Suite.

3.2 Identifying Assets based on Reports

The second way of identifying an asset is based on the reports. Once you have received your first reports OnDMARC will display an action asking you to classify each source as shown below. 

In our case G Suite is a legitimate source that we are using to send emails so we will click on Yes. This will add it to our Assets table as seen previously.

4. Configure Assets with SPF and DKIM

Sending a test email from our G Suite domain prior to configuring it with SPF and DKIM shows that DMARC fails. 

Now we have to modify our SPF record and include G Suite as part it as shown below.

v=spf1 include:_spf.google.com ~all

After adding G Suite to our SPF record we can see that its status in the tool changed.

Sending a test email now shows that DMARC passes due to SPF. DKIM is also shown as PASS, however, the domain used is "gappssmtp.com" (Google’s default DKIM signing domain) and not "uksingh.com" which indicates that DKIM is not yet configured.

For instructions on how to configure G Suite with DKIM please click on the button below.

Now that DKIM signing has also been configured a test email confirms that it is being signed with the correct domain "uksingh.com" as shown below.

The DNS status for SPF and DKIM in the Assets table is now green as both records have been detected.

After waiting for some reports to be received we can see that DMARC is passing thanks to SPF and DKIM and the bottom two status quarters turned green as shown below. 

Here is how to use the command like to query for DKIM keys as well using Windows and Mac OS.

Record  | Windows Command Line    | MAC OS Terminal
-----------------------------------------------------------------------
DKIM    | > nslookup              | dig txt
        | > set q=txt             | google._domainkey.uksingh.com
        | > google.domainkey      |
        |   .uksingh.com.         |

5. Monitor 

At this point G Suite is configured correctly and passing DMARC validation. All you have to do is monitor the status of your asset and keep an eye for new actions. New actions can appear for a number of reasons:

  • Due to reports showing new sources sending on your behalf that you need to classify as Assets or Threats.
  • Status of your current Asset has changed
  • Missing information that you have not populated in the tool
  • Feature that you have enabled but has not been fully configured

6. Move to DMARC reject

After seven days of no DMARC failures from your Asset the tool will display an Action that the DMARC policy can now be changed to reject. Once this action has been displayed, the only change to your current DMARC record will be to change “p=none” to “p=reject”.

Congratulations!

Your domain is now protected from being used in spoofing and spear phishing attacks. 

Did this answer your question?