DMARC Without SPF or DKIM
It doesn't take long to get going if you're starting from square-one and don't have a DMARC policy. You don't need to have SPF and DKIM fully configured to start collecting reports. You'll want to start collecting reports ASAP so there is something to analyze later. It will take a day or two for reports to begin arriving from reporting organizations.
The following steps are what I use to bootstrap DMARC for an organization without affecting mail flow:
Create an email address to receive reports, e.g. "dmarc@example.com"; A shared mailbox is recommended, rather than a real account like you'd assign to a person. NOTE: Do NOT use your own email address for this. DMARC can generate a LOT of email depending on how many messages your systems send and to how many recipients.
Create a bare-bones DMARC policy in your public DNS zone. This configuration is for domain "example.com", and you should substitute your own domain while creating the DNS record:
- Record type: TXT
- Record name: _dmarc.example.com
- Contents:
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; fo=1; - Record TTL: 3600
Give the new record some time to be created in your zone; This may take a few minutes or a few hours depending on your DNS provider.
Use a command-line tool like nslookup or dig to examine your new record, and verify it is published in the DNS.
Here is a quick explanation of options in the bootstrap record:
- v=DMARC1: The version of DMARC used (version 1 is the only version as of 2024)
- p=none: Take no action if an email fails validation
- rua=mailto:dmarc@example.com: Send DMARC aggregate reports to dmarc@example.com
- ruf=mailto:dmarc@example.com: Send DMARC forensic reports to dmarc@example.com
- fo=1: Send an email if any message authentication fails
The "fo=1" tag gives us more information for troubleshooting SPF and DKIM failures. The default is only to send a report if SPF and DKIM fail. That's great once you've completed implemenation, but not for getting started.