Guide to implementing DMARC for your domain

Spammers can sometimes forge the "From" address on mail messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Hexamail supports DMARC, which gives domain owners more control over what recipient domains do with spam emails from your domain. Hexamail software allows you to follow the DMARC.org standard and decide how recipient domains treat unauthenticated emails coming from your domain. You can publish a policy telling recipient domains and other participating email providers how to handle unauthenticated messages sent from your domain. By defining a policy, you can help combat phishing to protect users and your reputation.

Let's break the guide into some easy steps:

SPF is the Sender Policy Framework. This is one of the two mechanisms used by DMARC to help verify email from your domain.It is implemented just by creating a simple DNS record telling other domains which servers can legitimately send email with a From address containing your domain. You just need to know all the servers and other domains or mailservers that may need to send email using your domain email addresses.

Creating the SPF wizard for your domain

Hexamail software (the spam blocker module) includes a wizard to help you create the SPF record you need to add through your DNS management console. You will find the wizard under SPAM Blocker/Detection/Sender/SPF/Wizard... The wizard helps you easily create the DNS TXT record you need to add for your domain to be protected by SPF.

DKIM is DomainKeys Identified Mail and involves signing your outbound email with a special signature in the header that guarantees the message was sent thru your server and has not been tampered with or modified since leaving your server. This is the second mechanism used by DMARC to help verify email is genuinely from your domain. The system uses encryption keys to sign and verify the email. Your private key is generated on your server and signs all outbound email and the public key is published as a DNS record through your DNS management console to allow others to verify your signed email.

Managing DKIM keys for your domain

Hexamail software (the secure module) includes a management interface to let you simply generate and manage your signing keys. You can have multiple different signing keys with various different parameters. This lets you test a key or have keys that expire after a certain time or use specific keys for specific email subdomains or email addresses.

Generating a DKIM key for your domain

You need at least one key setup to start using DMARC. The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to access your public key for verifying your email.

Creating a DKIM ADSP record for your domain

ADSP is Author Domain Signing Practices. This has largely been replaced by DMARC now. The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to access your public key for verifying your email.

Next you need to create a DMARC DNS record instructing other domains how to verify email from your domain and what to do with spoofed or fraudelent email

Creating a DNS record for DMARC

The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to perform DMARC processing on email from your domain.

Finally you should verify your DMARC setup. To do this send an email from your domain to one of the many DMARC verification services or to a gmail account. The verification services usually send a reply containing the DMARC, SPF and DKIM test results in details.

Unlock the Inbox can verify your DMARC setup if you send an email to this address mailtest@unlocktheinbox.com
Returnpath can verify your DMARC setup if you send an email to this address checkmyauth@auth.returnpath.net

There are also many other deployment tools and verification services listed here DMARC.org

Gmail will add an email header to all received email stating the authentication results for DMARC, SPF and DKIM. Just view the "original message" in the Gmail inbox and you can read all the headers.