In this article, you will find the steps you need to take in order to get started with OnDMARC and reach a policy of DMARC reject (i.e. full protection) on all your domains.
1. You can sign up to OnDMARC using this link.
2. Start adding all your domains, both active and inactive domains, to OnDMARC by using the 'Add domain' button.
You will initially have a 14-day trial period during which your email volume will be calculated. Email volume is just one factor that helps to guide you towards an appropriate subscription package. For more information on email volume, please click on the following button.
3. After adding your domain, you will see this DMARC Management screen. From here, you can choose to set up Dynamic DMARC or opt to manage DMARC manually.
We would recommend that you set up Dynamic DMARC. This allows you to manage your DMARC records from right inside the OnDMARC interface without needing to access your DNS, helping to avoid making manual configuration errors and ensuring that your journey to full protection is fast and efficient.
To set up Dynamic DMARC, simply navigate to your DNS provider and create an NS record using the information from the table below.
If you wish to manually manage your DMARC, just click the toggle. OnDMARC will then generate a unique DMARC record for you that you need to publish in your DNS. You will notice that the policy we create for you is p=none. This means that you are in reporting mode and your email flow will not be affected by this change. Reporting is the first step toward preventing phishing and spoofing.
It is important to note that for every domain and subdomain you add to OnDMARC, you will need to enter its respective record into your DNS.
You can then click next.
4. If your DMARC record has been set up correctly and the DNS records have been created and propagated across the internet, your first DMARC reports will arrive within 24 hours. You will see the 'receiving reports' badge in the Control Panel turn green - this means that your first DMARC report has arrived and you are officially in reporting mode.
5. If you then navigate to the Reports section, you will see the sources that send emails on your behalf and the passes and/or failures with regards to SPF and DKIM next to each source. The SPF and DKIM results shown are with respect to DMARC identifier alignment. To learn more about identifier alignment click on the button below.
6. From the Reports, you can start classifying your legitimate sources of email (the ones that you use) by using the tickbox to the left of each source and marking them as Assets. Don't worry about the sources that you don't use, only focus on your legitimate ones.
7. All of your Assets must now be configured with SPF or DKIM. DKIM is a must for your Assets as it is a more resilient and stronger form of authentication than SPF.
If you make a mistake in terms of identifying sources as either Assets or Threats, you can go to the Email Sources section and remove the entry from there. Once it is removed, it will show up in the Reports as unclassified.
Email Sources is the place where you can see the sources that you have identified as legitimate (represented as Assets) and the ones that you have identified as not legitimate (represented as Threats).
For more information on the Email Sources section of the product, please click on the button below.
Steps 5-7 can be repeated as more reports are received and until you have correctly configured all of your sources with SPF and DKIM. The Actions section should be monitored regularly and suggested actions need to be taken.
This is an ongoing process until you reach 100% DMARC reject policy. Once you are ready, OnDMARC will suggest that the DMARC record for your domains can be changed to a reject policy.
To learn more about SPF, DKIM, DMARC, and OnDMARC, please click on the button below. Our knowledge base contains a large amount of information with regard to the protocols and other OnDMARC features that we provide.
If you have further questions you can reach us via our chat option inside our product or alternatively, if you have not yet signed up for OnDMARC, through the contact form on our website.