How to Secure Email and Improve Deliverability (DMARC Tutorial)
Tutorial Hosting
– So whether you’re looking to protect your company email or even just increase email deliverability, this week, we’re gonna walk step-by-step through the process of adding DMARC protections for your domain. You’re gonna need access to your domain’s DNS settings, at which point we’re gonna walk through
The manual process of setting this up, or if you’d rather, there’s an easier managed solution that I use and recommend. You can jump ahead to that part of the video right here or keep watching for the more do-it-yourself solution. Welcome to “All Things Secured.” My name’s Josh, and last month,
We spent a little bit of time talking about DMARC and the value that it provides in terms of security for your email that you send from your own domain. In other words, if your email ends in gmail.com, yahoo.com, or outlook.com, this doesn’t apply to you. Anyway, you can watch this video here later
If you wanna get an overview of what we’re doing here. Now, let’s open up the DNS records for my domain, which I’ve hosted through Cloudflare. Yours might be hosted with your domain provider, so you might also need to check GoDaddy, Namecheap, or one of the other domain providers that there are.
Now, I’m gonna show you the manual process, but before we get started, I wanna recommend that you watch through this entire video before you start doing this yourself because there’s part of this manual process, especially towards the end, that I wanna highlight that might make you wanna really think about
Doing the more managed process that we’re gonna talk about in this latter half of the video. Okay, I’m gonna start off here in my DNS records, which as you can tell, I have hosted with CloudFlare. And so the first thing I need to do is I’m gonna set up my SPF record,
And that’s basically saying which websites or which entities are allowed to send email as “All Things Secured.” So the first thing I’m gonna do is I’m naming it, it’s a txt file, naming it the app or the route for “All Things Secured” and I’m creating the SPF for google.com.
Now, this is something that I found on Google that they use and so I’m gonna go ahead and save that file. And the next thing that I need to do after creating that SPF is I need to go in now and figure out how I can create a DKIM file for Google.
And the only way to do that, basically, creating this key, this secret key between the email that’s sent and Google is to go into my admin account. I’m going to authenticate email here in Gmail and now you’re seeing the DKIM authentication. And I wanna do it for the correct URL.
Make sure you have the right URL here. That’s super important. And I’m gonna copy and paste to create a new record. Again, we’re creating a TXT record and the name specifically is the Google name that it tells me to give. And then I’m gonna copy and paste all of this
Here for the TXT record and set it up and save. Again, this is my DKIM record for Google. And if I wanted to send with ConvertKit, or MailChimp, or if I wanted to have my, you know, law firm also be able to send email on my behalf,
I have to set up a separate SPF record for every single one of them. So, now that I have a record for both my, excuse me, a DKIM record. So now that I have a record, an SPF record for Gmail and a DKIM record that gives that private key,
Now I need to set up a DMARC record. And this DMARC is going to set the policy for what happens to these emails that come from Gmail, or more specifically, which ones don’t come from my Gmail. So I’m gonna set it up, as you can see here,
As I could set it up as reject, I could set it up as quarantine, but to start, I’m gonna set it up as none to make sure as I’m doing this that I haven’t done anything correctly. So I’m gonna set up a mail to. So I’ve set up a specific email address, dmarc@allthingssecured.com,
To send these DMARC reports to. And then if you wanted to, you could do a comma and then any other email address that you want. I’m just gonna keep it at this one. I’m gonna go ahead and click save and then set that up. Now, again, let’s say I wanted to set
Up ConvertKit as a sender of my emails, which that’s what I use for “All Things Secured.” I’m gonna need to verify my sending domain and that’s what they asked me to do. They asked me to set up a CNAME for my SPF and another CNAME record for my DKIM.
So that’s what you’re gonna see me doing. I’m going to go ahead and set up a CNAME, I’m going to copy and paste what they asked me to copy and paste in there, and then I’m gonna do the same, this is my SPF record, and then I’m gonna go ahead and
Do the same for the DKIM record. And the DMARC record remains the same. So there’s only one DMARC record ’cause that’s telling, that’s explaining what to do with these emails, but the SPF and the DKIM records, you have to set up one individual one for every single sender
That you wanna be sending on your behalf. Now, at this point, if you wanted to, you could actually go in and check how you set up your DMARC records. I’m doing this on EasyDMARC, there’ll be a link in the description below, where it’s gonna show me overall results.
It says that my SPF record might not have been set up correctly. There’s some things that could change there. It’s showing me my DMARC and how that was set up. So it’s letting me know if I did it correctly or not. Don’t worry about BIMI. That’s something for advanced.
You know, it costs $1,500 a year, but that’s not something I’m worried about. I just wanted to see if I set it up correctly. As you can see here, the setup process is doable, albeit maybe a little bit confusing. I’d say the one thing I wanna really emphasize here is
That you wanna set your DMARC policy to none as you get started because you really wanna get an understanding of what’s happening before you start quarantining or even rejecting emails. But wait, before you run off here, let me explain one thing that’s really important. This is just part one.
Now you need to monitor these DMARC reports that are being sent to your monitoring address so that you understand how your emails are being received by all of these different email providers. And here’s the thing, these reports come in daily and unless it’s your job to understand these XML files,
It can be really confusing, or at least it was for me. I mean, they come as an XML file, and if you were to open it up, like the one that you see here, it just looks like gibberish. Like, you really have to know what you’re looking for.
And this is just for a couple emails. Imagine if it’s hundreds of emails, having to go through and parse and analyze this file is really confusing. And that’s really why I wanted to give EasyDMARC a try. It’s easier to set up, but more than that, it’s a whole lot easier to understand
And analyze the reports that come in. So, let’s dive into that right now. Okay, so I’ve already created an account with EasyDMARC and I’m gonna go in and the first thing I need to do is I need to set up the URL that I’m gonna be using for EasyDMARC.
And depending on your plan, you can set up multiple emails, but let’s just get started with a single email. I’m gonna set up “All Things Secured.” So I click on add a new domain, I’m gonna type in allthingssecured.com, obviously, and I’m gonna add that in.
And one of the first things I have to do is I have to add the DMARC record to my DNS. So that is one of the first things that I’ll have to do. Like I said, you’ve gotta be in your DMARC or in your DNS settings. So for me, that happens in CloudFlare.
So you’re gonna see, I’m gonna go into here, I’m going to create a TXT file for DMARC, and then I’m going to copy and paste that in and save. So once I click save, I’m gonna go back in and I’m going to verify the fact that that DMARC record was put in correctly.
It was. So I’m gonna start my DMARC journey. And here’s where you’re gonna see my dashboard. My dashboard right now, it has received no reports. I just set it up, obviously, so that’s okay. So now what I need to do is at this point, if you remember from the previous video,
It’s not just the DMARC, we also have to worry about our SPF and our DKIM reports. And that’s why this gets all confusing. And here’s the point where the DKIM, we have to set up on an account by account basis, for whoever’s gonna be sending.
But the SPF is something that can be done through EasyDMARC and it’s, in some ways, a little bit easier for me to set it up. So I’m gonna go ahead and use their EasySPF feature, and that is something that only comes at a higher price plan. You can do it yourself
As I’ve shown you in the manual setup already, but I’m gonna go ahead and use this EasySPF. Okay, so now for EasySPF, I need to go ahead and set up a record on my DNS for this, you know, SPF record with EasyDMARC. So you’re gonna see here,
I’m basically gonna do the same thing. I’m gonna copy, I’m gonna paste this into my Cloudflare, and make sure that I’ve got that set up correctly. Go ahead and apply that. And now I will verify. All right. Now, at this point, we need to start adding sources,
Sources that are allowed to send on our behalf. So let’s say I wanna do Gmail or Google, right? So it’s gonna come up as Google Workspace or Gmail. And I can use include, it’s gonna automatically set up the SPF for me, and then I just click add.
I can do the same thing for a number of different providers. That could be, let’s see here, Salesforce, that could be Microsoft, that could be a whole host of others. EasySPF kind of has all of this already setup for you and you can get it setup a whole lot easier
Or you can go and do it by yourself either way. Okay, so with that outta the way, we’re gonna fast forward a couple weeks and now look at my dashboard after having sent hundreds and thousands of emails to see what comes up. So you can see my dashboard here.
I’ve added a couple of additional URLs that I’m protecting as part of my business, but I’m gonna blur those out so you just see “All Things Secured,” and you can see that I’ve sent over the past 30 days almost 5,000 emails with a 97% DMARC compliance and pass rate.
So I can dive in and look at the different reports. Obviously, these are when I sent email blasts and I can see all the different places where those emails came from. So whether that was ConvertKit, Gmail, or Flywheel, which is where I host my website, all of those emails come from those places.
And I can say, the DKIM passed, the SPF passed. And at this point, after 30 days, I’m fairly confident that I can now change my DMARC policy from none to quarantine or reject. And that way, as I’m looking at this, any of these emails that are non-compliant
Or any of ’em that are threats, and the non-compliant ones are from Flywheel, those are just ones that my website sends to me and so I’m not that worried about those or any threats or unknowns. I can look at these. Again, most of them are coming from Flywheel,
But I can check out those unknowns and get a better sense of where it’s coming from. And looking at this, I see the mail.ru. I definitely don’t want those to be able to make it through. That is not for me. I’m kind of actually honestly worried about why that’s showing up.
And so I wanna make sure that I’m setting my DMARC policy now to at least quarantine, if not reject, because I don’t want those kind of emails going through for the security and safety of my own email, for those of the people that are on my email list,
And especially just for any of my partners that I work with with “All Things Secured.” So you can see here that this reporting versus this reporting is a whole lot easier to understand and I am a lot more confident to set up my DMARC policy to reject or quarantine when I’m looking
At these numbers as opposed to this XML file. And that’s really the point. I do not wanna keep my DMARC on a none for very long. I wanna move as quickly as I can to a reject or a quarantine policy. So before you go through and manually set up your DMARC records,
Especially if you’ve never done it before, you should go and check out EasyDMARC and see if they’ve got a plan that works for you and your business. And honestly, I think they will because they even have a starter free plan that you can try. And for paid plans, if you go that route,
EasyDMARC is working with me to offer a 10% discount to you if you use the promo code ATSPROMO at checkout. Whatever you decide, if you run a small business that doesn’t have its own IT department or cybersecurity team, and let’s face it, that is most small businesses,
Then protecting your business email is a no-brainer. Learn more about EasyDMARC here and in the description below. And now that you’ve taken steps to protect your email, I recommend you watch this next where I walk through seven critical security steps that you need to be taking as a freelancer or a small business.
So, watch that next.
Whether you want to protect your company domain or improve email deliverability, setting up an appropriate DMARC policy is a must! Follow this tutorial that explains the DIY and managed solutions for setting up DMARC protections for your domain. Try EasyDMARC here: https://www.easydmarc.com ▶ Get 10% discount with ATSPROMO here: https://www.easydmarc.com ▶ Check your own DMARC records here: https://easydmarc. com/tools/dmarc -lookup If you care about your personal security and privacy online, download my free security checklist here: ✅ Security Checklist: https://www.allthingssecured.com/security-checklist-pdf/ 🔹🔹🔹 What to Consider Next🔹🔹 🔹 We have a lot of great content about privacy and security for small businesses here on the All Things Secured YouTube channel (although we admit we're a little biased). If you want to increase your online cybersecurity, follow these steps: ✅ What is Business Email Fraud and how does DMARC work? https://www.youtube.com/watch?v=yCp_EVO4xXU ✅ 7 Essential Cybersecurity Tips for Small Businesses: https://www.youtube.com/watch?v=Wd66-5bBuY4 ✅ How SIM Swapping Your Business could ruin: https://www.youtube.com/watch?v=64p_WkYc9d0 🔹🔹🔹Help Support All Things Secured (Recommended Services)🔹🔹🔹 If you like this kind of practical security and privacy content, this is one of the best Ways you can help Support this channel by using these affiliate links to our favorite products and services. When you purchase through these links, not only do you get the best deal available, the companies also pay us a small commission. Thank you for your support! ✅ Recommended password manager: https://www.allthingssecured.com/yt/1password ✅ Recommended identity monitoring: https://www.allthingssecured.com/try/identityforce-yt ✅ Recommended 2FA security key: https://www. allthingssecured.com/yt/yubikey ✅ Recommended secure email: https://www.allthingssecured.com/try/protonmail-yt ✅ Recommended VPN: https://www.allthingssecured.com/try/expressvpn-yt ** ** ***************** Video Timestamp ********************* 0:00 – Introduction to the DMARC Protection 1: 21 – Manual DMARC setup tutorial 1:31 – Step 1: Set up an SPF record 1:55 – Step 2: Set up a DKIM record 2:58 – Step 3: Set up a DMARC policy 3 :54 – How to check shipping domain in ConvertKit (example) 4:44 – How to check your DMARC setup 5:17 – DMARC policy: None, Quarantine or Reject? 5:35 – Monitor your DMARC reports 6:29 – How to set up EasyDMARC (Tutorial) 9:28 – How to read your DMARC report 11:42 – Manual or managed DMARC solution? ************************ Email spoofing is a major risk for businesses large and small. The FBI ranks business email compromise as the most common and costly type of fraud, harming not only your business but also your customers and partners. So what can you do to protect your work email? The best option is to set up an appropriate DMARC policy. This tutorial will show you how to do that. #dmarc #businessemail #cybersecurity
#Secure #Email #Improve #Deliverability #DMARC #Tutorial
https://i.ytimg.com/vi/SWq0MECS8Ts/hqdefault.jpg
