How to fix “No DMARC record found”
When you see “No DMARC record” or “DMARC record not found” or “DMARC record is missing” that’s means your domain misses the most effective and powerful email authentication mechanism such as DMARC.
A domain without a DMARC reject policy is not nice, sort of like being naked in the middle of the street.
To block fake emails send from that domain. That kind of attacks are known as email spoofing. Attacker can send an email from that exact domain put in From field, because SMTP by default doesn’t have any protection against fake “From” addresses.
Why you need DMARC or Email Authentication to fight against email scam and spoofing
To prevent email spoofing all domains must have Email Authentication system. Probably you have heard about SPF and DKIM mechanisms. But the thing is nor SPF and DKIM alone can’t stop impersonation of your domain and can’t prevent email spoofing. DMARC (Domain-based Message Authentication, Reporting & Conformance) comes to rescue. It combines SPF and DKIM mechanisms, and gives 100% protection from exact-domain attacks.
DMARC can protect you from phishing attack. Phishing is the fraudulent attempt to obtain confidential information. By posing as a legitimate individual hackers manipulating victims to perform specific actions. By Verizon Data Breach Investigations Report 2018 Phishing and pretexting represent 93% of breaches. 80% of all breaches involve credentials DBIR.
So how to fix and add your missing DMARC record?
It depends on what you want to achieve. There are 2 possible cases
Case 1: Simply get rid of annoying “No DMARC record” message without understanding the real value of DMARC and any email spoofing protection
The answer is very simple. Technically fixing “No DMARC record found” literally means adding a TXT DNS record in _dmarc.yourdomain.com subdomain according to DMARC specification. The basic DMARC record can be as simple as the following
v=DMARC1; p=none; rua=mailto:[email protected]
You are done. You have successfully added your missing DMARC record.
Congratulations, but with that record you are very far way to stop email spoofing and impersonation attacks.
Case 2: Get 100% protection against email impersonation and spoofing attacks
To achieve 100% protection you need to understand mechanics behind the DMARC system and how it works. It’s hard to achieve 100% protection against email spoofing and it requires diligence and some time (more than 2 months usually and depends on how complex is your email infrastructure is).
It is hard, because if your configuration is not correct, not only fake emails send by hackers from your domain but also your valid emails can be rejected either. It’s like a having protected folder where nobody can access and even you can’t access it (the folder is very secure, but it is useless if even I can’t access it). Our platform EasyDMARC is an easy solution for people like you to avoid risks and safely achieve 100% protection on hard journey of DMARC deployment.
The journey start with simply putting basic DMARC record.
3 steps to fix “No DMARC record found” issue
1. Publish SPF record
Use any free SPF record generator and publish generated record into your DNS.
Use EasyDMARC free SPF record generator to create your record:
The SPF record looks like
v=spf1 include:spf.easydmarc.com include:amazonses.com ip4:18.104.22.168/32 -all
2. Setup DKIM authentication
Next, you need to configure your mail server. For that you can use free DKIM record generator for DKIM authentication. Here is an automated script that will help you to configure your Linux mail server with DKIM.
You can use our free DKIM record generator to have a right syntax.
3. Publish DMARC record
Eventually we are ready to set up the DMARC record. Use our free DMARC record generator and publish the generated record into your DNS.
At first, it is strongly recommended to have a monitoring policy (p=none). After successful monitoring results the system will, after all, suggest you to change the published policy.
Don’t use p=reject policy in the beginning, unless you are sure you have right configuration and visibility in your e-mail infrastructure.
It is very important to stress that neither SPF nor DKIM alone can’t prevent cybercriminals to send e-mails using your domain.
Keep in mind that only DMARC record with “p=reject” policy is the most powerful and industry standard e-mail authentication system. However, achieving “p=reject” is hard because putting it in DNS without proper monitoring can get your perfectly valid e-mails to be rejected.
We know how to setup DMARC correctly and protect your domain from phishing without losing any of your emails. You can easily identify and fix your issues by automating your reports with EasyDMARC.
Here is an example of the above mentioned DMARC report:
Are you protected?
These posts will help you setup DMARC records on different DNS providers:
Are you running on a different DNS provider? Write to us and we will gladly help you out with a new post.
To sum up, it’s quite easy to setup e-mail authentication. On the other hand professionals will do it faster and will secure the quality. Hence our tech support will be glad to solve your e-mail authentication deployment problem, just ask questions: