Implement the DMARC Analysis service
Learn about what steps you need to take and what resources and support are available to help you deploy and configure the DMARC analyser service within your agency.
The Cyber Security Unit (CSU) recommends that agencies adopt a safe, iterative enforcement strategy which prioritises email delivery over domain protection in order to prevent false positives during the policy deployment process.
You can achieve this by following the steps outlined in the DMARC overview guide from the Australian Cyber Security Centre (ACSC) as a starting point, then progressing to the implementation guides and steps below.
Start-up guides to the deployment process from Mimecast:
Configuration for the Queensland Government
The bolded script below is specific to Queensland government agencies and should be the ‘end state’ best practice when configuring agency DMARC records. This approach also eliminates the need to manually modify the target RUA and RUF email addresses in the event of a change of DMARC analysis service vendor.
Summary for email sending domains
DNS Record | Comment |
---|---|
agencydomain.qld.gov.au. TXT "v=spf1 <server list> –all" | <server list> is a list of valid servers |
*.agencydomain.qld.gov.au. TXT "v=spf1 –all" | "no server" SPF if subdomains do not send email |
<selector>._domainkey.agencydomain.qld.gov.au. TXT "v=DKIM1; k=rsa; p=<public key>" | Publish DKIM public key if DKIM is configured |
_dmarc.agencydomain.qld.gov.au. TXT "v=DMARC1; p=reject; sp=reject; fo=1; rua=mailto:dmarc-qldgov@qld.gov.au; ruf=mailto:dmarc-qldgov-forensic@qld.gov.au" | Domain DMARC record |
Alerts from Microsoft | Microsoft 365 Defender (Preview) Connector |
Summary for non-email sending domains
DNS Record | Comment |
---|---|
agencydomain.qld.gov.au. TXT "v=spf1 –all" | Domain nil SPF No valid servers |
*.agencydomain.qld.gov.au. TXT "v=spf1 –all" | Subdomain wildcard nil SPF |
_dmarc.agencydomain.qld.gov.au. TXT "v=DMARC1; p=reject; sp=reject; fo=1; rua=mailto:dmarc-qldgov@qld.gov.au; ruf=mailto:dmarc-qldgov-forensic@qld.gov.au" | Tells receiving mail servers to junk any emails from this domain or subdomain |
Microsoft Office 365
For agencies using Microsoft Office 365 as their primary email platform, follow guidance from Microsoft for configuring DMARC.
Vision6 – Marketing Email Service
Vision6 is used across several agencies for community engagement, outreach, marketing and awareness campaigns. Agencies should implement Vision6’s recommended SPF, DKIM and DMARC configuration.
Third-party email service configuration
An agency’s domain might be blacklisted if a third-party’s email service is abused by hackers or has a large number of bounced emails. Agencies should perform a risk assessment for all third-party email services and adopt one of the following strategies in descending order of preference to mitigate potential risks.
You’ll need to delegate a sub-domain for the service; e.g. ‘comms.agencydomain.qld.gov.au’ for marketing and community outreach emails using services like Vision6.
Alternatively, or in addition to the above, you can use a unique DKIM key for the third-party service. This unique DKIM key must only be used for emails from the third-party email service and should not be reused for any other outbound email flow. A valid DKIM key will allow emails to pass DMARC.
Trouble shooting third-party email services
In rare cases, if the third-party email service prescribes and supports it, you can configure the service to re-write the ‘5322.FROM’ email address (which the user sees) to a valid email address at the vendor (with the same org domain as the envelope ‘5321:MailFrom’ address).
The address will then pass SPF and SPF alignment, and/or DKIM and DMARC validation, and append a REPLY-TO email address to the email for the agency contact sending the email, e.g.:
- RETURN-PATH: bounces@emailserviceprovider.com
- FROM: messages@emailserviceprovider.com
- REPLY-TO: john.doe@agencydomain.qld.gov.au
It’s important to note, that while this approach is valid, high-risk emails can appear as a phishing attempt if the ‘FROM’ address is coming from an external address and not the sending agency.
If you’re directed by the third-party vendor, you should include the third-party vendor’s SPF in the agency’s SPF entry to allow SPF to pass.
Additional guidance on how to configure third-party email services can be found at:
CITEC Service Desk
Contact the CITEC Service Desk at service@citec.com.au for DMARC related technical support issues.
Cyber Security Unit
Contact the Cyber Security Unit (CSU) at CyberSecurityUnit@qld.gov.au if you need more information about the DMARC analysis service.