Solutions

Overview

GenSpace Individual

For Business

Overview

GenSpace Business

Small Business

Small business productivity tools

New business

Tools for new businesses

Startups

Startup productivity tools

For Enterprise

Overview

GenSpace Enterprise

Frontline Workers

GenSpace for the frontline

Work Safer

Protect organizations from cyberattacks

Products

Mail

Custom business email

Calendar

Custom business email

Files

Files

Documents

Documents

Presentations

Presentations

Spreadsheets

Spreadsheets

Talk

Talk

Notes

Notes

Deck

Deck

Effective Use of DMARC to Prevent Email Spam and Spoofing

Combining Google Workspace’s secure-by-design architecture with Gmail’s built-in spam, phishing, and malware protections is an excellent way to protect your users from external threats. But what about threats from malicious actors who hijack your own domain to impersonate your users and launch email-based attacks against your customers, employees, and brand?

Worse, did you know that anyone on the Internet can send email ‘from’ your domain without needing access to your account? That’s where DMARC comes in.

Do You Have a DMARC Policy?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. Without a DMARC policy, domains that send and receive email are vulnerable to spoofing, allowing third parties to:

  • Launch phishing attacks 🎣
  • Distribute spam, malware, or ransomware ☣️
  • Run social engineering scams against customers or employees 💸

A strong DMARC policy enables administrators to monitor, quarantine, or reject delivery of messages sent using their domain by unauthorized senders. In other words, every company needs a DMARC policy to protect their brand and domain reputation. At Rise Digital, every Google Workspace client is set up with a DMARC policy from day one.

How Does DMARC Work?

DMARC performs two main functions:

  1. DMARC sends reports containing the source (servers and domains) of messages sent using your domain and what percentage of them pass or fail two important mail security protocols:
    • Sender Protection Framework (SPF), which specifies the servers and domains authorized to send email on behalf of your organization.
    • Domain Keys Identified Mail (DKIM), which adds a digital signature to every outgoing message, allowing receiving servers to verify the message’s authenticity and integrity.
  2. DMARC recommends what action recipient mail servers should take on messages that fail the above protocols:
    • None (deliver the message)
    • Quarantine (deliver the message to spam)
    • Reject (bounce the message)

DMARC Logo

How to Enable DMARC

Implementing DMARC is a process. Immediately rejecting all outbound messages that fail DMARC risks interrupting delivery of business-critical mail. Therefore, we recommend Google Workspace admins take a gradual approach to introducing and strengthening their DMARC policy, analyzing results and monitoring for adverse impacts every step of the way.

1. Implement SPF and DKIM for Authorized Senders

First, ensure your organization has implemented SPF and DKIM for mail sent by your domain’s users and other authorized senders. DMARC instructs mail servers how to handle messages that do not pass SPF or DKIM, so enabling them is crucial.

2. Create a Dedicated Email Address to Collect DMARC Reports

Once your DMARC policy is in place, you’ll receive reports from recipient mail servers. Instead of flooding your email, create a dedicated repository, such as a Google group.

  1. Sign in to the Google Admin Console
  2. Navigate to Directory > Groups > Create group
  3. Enter DMARC in Group name, dmarc in group email, and add a description if desired. Skip the group owner and security label. Click Next.
  4. Set all access settings to Group Owners, except Who can post: External. Set who can join the group to Only invited users. Do not allow members outside your organization. Click Next, Create group, Done, See group settings, then advanced settings.
  5. Under Posting policies, change Who can attach files to Anyone on the web.

3. Implement an Initial (Permissive) DMARC Policy

Your DMARC policy advises recipient mail servers on handling messages that fail SPF or DKIM and where to send reports. Start with a permissive policy to avoid disrupting mail flow:

v=DMARC1; p=none; rua=mailto:[email protected]

As you gain insight from DMARC reports and ensure SPF and DKIM for all authorized senders, gradually tighten your policy to quarantine, and eventually reject, messages from unauthorized senders.

4. Analyze DMARC Reports

Daily DMARC reports will help you understand:

  • Which servers and domains are sending mail from your domain
  • What percent of messages pass DMARC (SPF and DKIM)
  • Which servers and domains fail DMARC (SPF and DKIM)

Tools like DMARCian’s XML to Human Converter can help analyze reports. Based on your analysis, adjust SPF and DKIM settings for all authorized senders before tightening your DMARC policy.

5. Quarantine Some, Then More, and Eventually All Unauthorized Messages

Gradually tighten your DMARC policy by editing the DMARC record in your domain registrar’s DNS console:

v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected]

Monitor for adverse impacts, analyze DMARC reports, and adjust SPF and DKIM settings as needed. Increase the percentage of quarantined messages until it reaches 100%.

6. Reject Messages from Unauthorized Senders

Finally, reject messages from unauthorized senders:

v=DMARC1; p=reject; rua=mailto:[email protected]

Recipient mail servers rarely override DMARC policies. Now, your organization is protected against abuse by unauthorized senders spoofing your domain.

Congratulations! 🥳 Your domain is now secure against email spoofing and spam.

GenSpace.ai is an autonomous AI workspace that integrates with chat platforms like Discord or Slack. It lets you control all your work and productivity apps and browse the web via simple chat commands. Our AI agents automate tasks, manage workflows, and act as your digital assistant, streamlining operations and reducing costs for entrepreneurs and startups.

Share the Post:

Related Posts

GenSpace Logo

Request Access

If you have any feedback or inquiries, feel free to contact [email protected]