Spammers can sometimes forge the “From” address on mail messages so the spam appears to come from a user in your domain. To help prevent this sort of abuse, Hexamail supports DMARC, which gives domain owners more control over what recipient domains do with spam emails from your domain. Hexamail software allows you to follow the DMARC.org standard and decide how recipient domains treat unauthenticated emails coming from your domain. You can publish a policy telling recipient domains and other participating email providers how to handle unauthenticated messages sent from your domain. By defining a policy, you can help combat phishing to protect users and your reputation.
Let’s break the guide into some easy steps:
To add DMARC support to Exchange 2k – Exchange 2016 you need to do the following:
- Download and install a Hexamail Gateway product like Hexamail Guard or Hexamail Nexus
- Enable the Secure module
- Configure an Outbound Send Connector in Exchange to send email out via the Hexamail SMTP gateway
- Configure your DMARC settings for your domain.
Setting up SPF
SPF is the Sender Policy Framework. This is one of the two mechanisms used by DMARC to help verify email from your domain.It is implemented just by creating a simple DNS record telling other domains which servers can legitimately send email with a From address containing your domain. You just need to know all the servers and other domains or mailservers that may need to send email using your domain email addresses.
Setting up DKIM
DKIM is DomainKeys Identified Mail and involves signing your outbound email with a special signature in the header that guarantees the message was sent thru your server and has not been tampered with or modified since leaving your server. This is the second mechanisms used by DMARC to help verify email is genuinely from your domain. The system uses encryption keys to sign and verify the email. Your private key is generated on your server and signs all outbound email and the public key is published as a DNS record through your DNS management console to allow others to verify your signed email.
Hexamail software (the secure module) includes a management interface to let you simply generate and manage your signing keys. You can have multiple different signing keys with various different parameters. This lets you test a key or have keys that expire after a certain time or use specific keys for specific email subdomains or email addresses.
You need at least one key setup to start using DMARC. The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to access your public key for verifying your email.
ADSP is Author Domain Signing Practices. This has largely been replaced by DMARC now. The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to access your public key for verifying your email.
Setting up DMARC
Next you need to create a DMARC DNS record instructing other domains how to verify email from your domain and what to do with spoofed or fraudulent email
The secure module also shows you how to create the DNS record you need to add through your DNS management console to allow others to perform DMARC processing on email from your domain.
Verifying your DMARC setup
Finally you should verify your DMARC setup. To do this send an email from your domain to one of the many DMARC verification services or to a gmail account. The verification services usually send a reply containing the DMARC, SPF and DKIM test results in details.
Unlock the Inbox can verify your DMARC setup if you send an email to this address email@example.com
Returnpath can verify your DMARC setup if you send an email to this address firstname.lastname@example.org
There are also many other deployment tools and verification services listed here DMARC.org
Gmail will add an email header to all received email stating the authentication results for DMARC, SPF and DKIM. Just view the “original message” in the Gmail inbox and you can read all the headers.