Fix DMARC Cyberalliance email domain verification issue

When I go to the https://dmarcguide.globalcyberalliance.org/#/ website and type in the email domain name of my organization the SPF & DKIM results pass but for the DMARC test I receive a message that says "Thank you for getting started with DMARC. You are currently at the lowest level and receiving reports, which is a great starting point. Please make sure to review the reports, make the appropriate adjustments, and move to either quarantine or reject soon. Additional information about reporting tools can be found here" (see the second screenshot below).

When I click on here I am taken to this website https://dmarc.globalcyberalliance.org/dmarc-reporting-key-benefits-takeaways/.

What values do I need to change or what settings do I need to change within my external DNS server records so that I will pass the DMARC test for this globalcyberalliance.org website?

I currently have this TXT record setup within my public DNS records for DMARC:

_dmarc.domain.com.      3600      IN      TXT      "v=DMARC1; p=none; rua=mailto:postmaster@domain.com; ruf=mailto:postmaster@domain.com"

DMARC-TXT-Record
PLEASE NOTE: The actual domain name has been replaced with the word domain above and has been whited out in the screenshot for privacy purposes.

Domain results
IT GuyNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi Knowledgeable,

Thank you for getting started with DMARC. You are currently at the lowest level and receiving reports, which is a great starting point. Please make sure to review the reports, make the appropriate adjustments, and move to either quarantine or reject soon.
This is because your policy is set to "p=none", which means there is no action ("none") for this policy. One of the main ideas behind DMARC is to invoke action upon the SPF & DKIM results. So if you leave it at none - its worthless outside of the reporting capabilities. It is a Best Practice to ramp up the policy gradually from none to quarantine to reject but you can move straight to reject...it's just not recommended. Also, initially you should get your sources at least 98% compliant before publishing a policy of quarantine or reject for your domain. Once you hit that range you should start your multi-phased approach with the policy set as follows:
• no action at 100% for 1-2 days - modify the record & replace "p=none;" with p=none; pct=100;
• quarantine @ 100% for 1-2 days - modify to p=quarantine; pct=100;
• reject @ 1% for 1-2 days - modify to p=reject; pct=1;
• reject @ 50% for 1-2 days - modify to p=reject; pct=50;
• reject @ 100% for 1-2 days - modify to p=reject; pct=100;.

You should be actively monitoring the policy throughout this process and thereafter.

Let me know if you have any questions!
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT GuyNetwork EngineerAuthor Commented:
Blue Street Tech,

Sorry for the delay in getting back with you.

What exactly do you mean by "Also, initially you should get your sources at least 98% compliant before publishing a policy of quarantine or reject for your domain."

What do you mean by "Sources"?

Please clarify.

Thank you
0
Blue Street TechLast KnightCommented:
Your source is your mail server/s.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

IT GuyNetwork EngineerAuthor Commented:
Blue Street Tech,

Are you referring to name resolution from the public DNS servers being accurate when it comes to pointing to the correct mailbox servers for your email domain?
0
Blue Street TechLast KnightCommented:
So the DMARC service, provided you subscribe to one, will report the all the mail servers used, aka sources. If there are open relays or other hosts outside of the ones explicitly named is your SPF record, these would all be considered sources.

As a DMARC service provider I'd recommend https://dmarcian.com/
0
Blue Street TechLast KnightCommented:
Glad I could help...thanks for the points!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.