• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 97
  • Last Modified:

Fix DMARC Cyberalliance email domain verification issue

When I go to the https://dmarcguide.globalcyberalliance.org/#/ website and type in the email domain name of my organization the SPF & DKIM results pass but for the DMARC test I receive a message that says "Thank you for getting started with DMARC. You are currently at the lowest level and receiving reports, which is a great starting point. Please make sure to review the reports, make the appropriate adjustments, and move to either quarantine or reject soon. Additional information about reporting tools can be found here" (see the second screenshot below).

When I click on here I am taken to this website https://dmarc.globalcyberalliance.org/dmarc-reporting-key-benefits-takeaways/.

What values do I need to change or what settings do I need to change within my external DNS server records so that I will pass the DMARC test for this globalcyberalliance.org website?

I currently have this TXT record setup within my public DNS records for DMARC:

_dmarc.domain.com.      3600      IN      TXT      "v=DMARC1; p=none; rua=mailto:postmaster@domain.com; ruf=mailto:postmaster@domain.com"

DMARC-TXT-Record
PLEASE NOTE: The actual domain name has been replaced with the word domain above and has been whited out in the screenshot for privacy purposes.

Domain results
0
IT Guy
Asked:
IT Guy
  • 4
  • 2
2 Solutions
 
Blue Street TechLast KnightCommented:
Hi Knowledgeable,

Thank you for getting started with DMARC. You are currently at the lowest level and receiving reports, which is a great starting point. Please make sure to review the reports, make the appropriate adjustments, and move to either quarantine or reject soon.
This is because your policy is set to "p=none", which means there is no action ("none") for this policy. One of the main ideas behind DMARC is to invoke action upon the SPF & DKIM results. So if you leave it at none - its worthless outside of the reporting capabilities. It is a Best Practice to ramp up the policy gradually from none to quarantine to reject but you can move straight to reject...it's just not recommended. Also, initially you should get your sources at least 98% compliant before publishing a policy of quarantine or reject for your domain. Once you hit that range you should start your multi-phased approach with the policy set as follows:
• no action at 100% for 1-2 days - modify the record & replace "p=none;" with p=none; pct=100;
• quarantine @ 100% for 1-2 days - modify to p=quarantine; pct=100;
• reject @ 1% for 1-2 days - modify to p=reject; pct=1;
• reject @ 50% for 1-2 days - modify to p=reject; pct=50;
• reject @ 100% for 1-2 days - modify to p=reject; pct=100;.

You should be actively monitoring the policy throughout this process and thereafter.

Let me know if you have any questions!
1
 
IT GuyNetwork EngineerAuthor Commented:
Blue Street Tech,

Sorry for the delay in getting back with you.

What exactly do you mean by "Also, initially you should get your sources at least 98% compliant before publishing a policy of quarantine or reject for your domain."

What do you mean by "Sources"?

Please clarify.

Thank you
0
 
Blue Street TechLast KnightCommented:
Your source is your mail server/s.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
IT GuyNetwork EngineerAuthor Commented:
Blue Street Tech,

Are you referring to name resolution from the public DNS servers being accurate when it comes to pointing to the correct mailbox servers for your email domain?
0
 
Blue Street TechLast KnightCommented:
So the DMARC service, provided you subscribe to one, will report the all the mail servers used, aka sources. If there are open relays or other hosts outside of the ones explicitly named is your SPF record, these would all be considered sources.

As a DMARC service provider I'd recommend https://dmarcian.com/
0
 
Blue Street TechLast KnightCommented:
Glad I could help...thanks for the points!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now