The Cyber Security Unit (CSU) recommends that agencies adopt a safe, iterative enforcement strategy which prioritises email delivery over domain protection in order to prevent false positives during the policy deployment process.
You can achieve this by following the steps outlined in the DMARC overview guide from the Australian Cyber Security Centre (ACSC) as a starting point, then progressing to the implementation guides and steps below.
Start-up guides to the deployment process from Mimecast:
Configuration for the Queensland Government
The bolded script below is specific to Queensland government agencies and should be the ‘end state’ best practice when configuring agency DMARC records. This approach also eliminates the need to manually modify the target RUA and RUF email addresses in the event of a change of DMARC analysis service vendor.
Summary for email sending domains
DNS Record | Comment |
---|---|
agencydomain.qld.gov.au. TXT "v=spf1 <server list> –all" | <server list> is a list of valid servers |
*.agencydomain.qld.gov.au. TXT "v=spf1 –all" | "no server" SPF if subdomains do not send email |
<selector>._domainkey.agencydomain.qld.gov.au. TXT "v=DKIM1; k=rsa; p=<public key>" | Publish DKIM public key if DKIM is configured |
_dmarc.agencydomain.qld.gov.au. TXT "v=DMARC1; p=reject; sp=reject; fo=1; rua=mailto:dmarc-qldgov@qld.gov.au; ruf=mailto:dmarc-qldgov-forensic@qld.gov.au" | Domain DMARC record |
Alerts from Microsoft | Microsoft 365 Defender (Preview) Connector |
Summary for non-email sending domains
DNS Record | Comment |
---|---|
agencydomain.qld.gov.au. TXT "v=spf1 –all" | Domain nil SPF No valid servers |
*.agencydomain.qld.gov.au. TXT "v=spf1 –all" | Subdomain wildcard nil SPF |
_dmarc.agencydomain.qld.gov.au. TXT "v=DMARC1; p=reject; sp=reject; fo=1; rua=mailto:dmarc-qldgov@qld.gov.au; ruf=mailto:dmarc-qldgov-forensic@qld.gov.au" | Tells receiving mail servers to junk any emails from this domain or subdomain |