Introduction to DMARC

ExchangeDefender is fully compliant with DMARC email authentication protocol and actively implements open standards such as SPF and DKIM to assure authorized email delivery.

ExchangeDefender supports SPF and DKIM validation and enforcement for incoming messages, and signs outbound messages with appropriate DKIM signatures. These features assure our clients domains are protected from spoofing / forgery, and validation of third party DMARC policies assures that messages sent to our clients comply with the security policies senders established for their domain.

To find out more about SPF (https://en.wikipedia.org/wiki/Sender_Policy_Framework, Sender Policy Framework), DKIM (https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail, DomainKeys Identified Mail) and how they are used to achieve DMARC alignment (Domain-based Message Authentication, Reporting and Conformance, https://en.wikipedia.org/wiki/DMARC) to prevent unauthorized email delivery (https://en.wikipedia.org/wiki/Email_spoofing, spoofing) please check out RFC 7489 (https://tools.ietf.org/html/rfc7489).

ExchangeDefender DKIM Implementation

ExchangeDefender fully supports DKIM for both incoming and outgoing mail. On the incoming side, we verify DKIM signatures. On the outgoing side, all your sent mail going through ExchangeDefender will be signed with a 2048-bit key allowing others to confirm no one has forged mail from your domain or tampered with messages while en route.

Inbound DKIM implementation is automatic and fully transparent to the user. If the senders email server is having a problem with DKIM signatures (not DMARC) and messages appear forged/tampered with, they will be accepted by ExchangeDefender and users SPAM policy will determine if the message is delivered, quarantined for review, or deleted.

Outbound DKIM implementation is optional and can be enabled or disabled by Domain Administrators on demand at https://admin.exchangedefender.com. Click on Mail Delivery, DKIM Record, and Enable DKIM Signing.

After enabling DKIM signing, your public DKIM key will be provided immediately and ExchangeDefender will begin signing outbound messages within one hour.

Your DNS administrator will need to create the TXT record in your DNS zone. In order to enable DKIM signature verification, your public DKIM key needs to be created in your DNS as a TXT record with the name “default._domainkey” and value as documented. DNS and DKIM in particular can be complex, and troubleshooting can be time consuming requiring very specific expertise. If you need help with this part, from setup to troubleshooting, we do offer an implementation service.

ExchangeDefender SPF Implementation

ExchangeDefender fully supports SPF and makes it easy for clients that route their outbound mail through us to implement SPF. ExchangeDefender has a public SPF record that can easily be included or used exclusively with the following TXT record:

 “v=spf1 include:proxy.exchangedefender.com -all”

If you already have an existing SPF record, you can simply add “include: proxy.exchangedefender.com” before the SPF policy decleration (~/-/+all)

Your DNS administrator will need to create the TXT record in your DNS zone. In order to enable SPF and declare a list of IP addresses that are allowed to relay mail on behalf of your domain name, your SPF record needs to be published in your DNS with no name (or default or @ depending on your DNS control panel) and include our SPF record as “include:proxy.exchangedefender.com”. DNS and SPF in particular can be complex, and troubleshooting can be time consuming requiring very specific expertise. If you need help with this part, from setup to troubleshooting, we do offer an implementation service.

Using bypass.exchangedefender.com to work around DMARC problems

DMARC problems are not frequent, but when they do appear due to shadow IT or even a simple mistake in senders DMARC configuration, they can be a nightmare. ExchangeDefender fully implements DMARC and if the senders policy is a strict reject (p=REJECT), ExchangeDefender is required to reject the message. Messages that have been tampered / forged / unauthorized by DMARC policy never reaches our antispam controls, it is not possible to “whitelist” a message because the message will not be accepted.

We realize there are business case scenarios where compromising security for a one-off messages is required. In order to accomplish that, ExchangeDefender offers a bypass service which is included free with your ExchangeDefender Pro subscription. The ExchangeDefender Bypass Service (bypass.exchangedefender.com) allows you to generate a disposable email address that can receive a message (or multiple messages) without any security precautions. Being able to create, enable, and disable these addresses on demand (which cannot be guessed easily) can help you accept messages in the short term while the sender is alerted to the problem and given a chance to address it.

ExchangeDefender DMARC Services

ExchangeDefender clients benefit from a platform that fully implements SPF, DKIM, and DMARC solutions for mail going to and from your organization. Furthermore, ExchangeDefender Pro subscribers have access to our bypass.exchangedefender.com (https://bypass.exchangedefender.com) to work around domain owners who have misconfigured their SPF/DKIM/DMARC policies and still get the mail delivered to our clients. ExchangeDefender also offers technical support covering the issuing of our own SPF and DKIM records.

ExchangeDefender also offers a DMARC management & support subscription service to assist our clients with delivery issues not related to the ExchangeDefender network. If you need assistance setting up your SPF/DKIM/DMARC policies, troubleshooting support for mail delivery in/out of your organization, and overall enforcement monitoring, please subscribe to ExchangeDefender DMARC Service.

Our service includes deployment assistance, monitoring, technical support, automated provisioning and testing service, remote diagnosis and an annual review with a service advisor that can offer additional services regarding deployment, planning, and design.

ExchangeDefender Policy

While we encourage all of our clients to implement both SPF and DKIM, we understand that there are sometimes business scenario cases under which this is impossible. If you find yourself in this predicament you should immediately change where your name servers are hosted and take full control of your organizations identity online. But if that is still something you may not be able to do, ExchangeDefender can still protect you from phishing attacks and spoofing launched using your own domain name. If you’ve ever received email from yourself or from a colleague (but the email actually came from a server in Poland) then this setting will help you.

Go to https://admin.exchangedefender.com and login as the domain administrator (username is your domain name).

Click on Security Settings > Phishing
Under “Flag External Emails” click on Enable and then Save.

After this setting is applied, all messages from your domain that were sent from outside of the ExchangeDefender network will go into the SureSPAM quarantine. Just tell users not to trust, whitelist, or release messages that are coming from your own domain because they are certainly not legitimate.Note: This is the option of last resort and will not stop hackers or spammers from abusing your domain for phishing, spamming, or hacking. However, it will stop those messages from arriving directly into your users mailbox. If you already have a valid SPF record (with -all, not ~all) and DKIM in production, this setting is not necessary as ExchangeDefender will automatically reject messages that fail SPF/DKIM validation.

Frequently Asked Questions

How do I whitelist DMARC rejection?

There is no way to whitelist DMARC rejections because messages are not processed by ExchangeDefender. If the organization has a DMARC p=reject policy, ExchangeDefender is not in control of that policy and it can only be fixed on the sender side. While you can whitelist domains that have an invalid DKIM or SPF records, DMARC is unique because it requires us to not accept forged messages.

To work around this protocol limitation, please use the ExchangeDefender Bypass Service: https://bypass.exchangedefender.com

Can I change my selector?

Not at this time. If you are using ExchangeDefender as your outbound smarthost, we are the last hop between you and the recipients MX, we should be the default selector anyhow. If you have a more complex DKIM setup in mind that is not supported by ExchangeDefender currently, please consider subscribing to our ExchangeDefender DMARC Services where you’ll have access to a service advisor that can create a custom DKIM signature.

Need assistance?

ExchangeDefender is easy to reach, and we are here to help with your IT: