DMARC Configuration: Preparing Your Domain for Strict Email Security

    Audience:

    IT Administrators / DNS Managers 

    Purpose:

    To meet mandatory sender requirements from Google and Yahoo and prevent your domain from being used for email spoofing.

    The Context

    In 2024, major email providers (Google, Yahoo, Apple) introduced a "No Authentication, No Entry" policy. If your domain does not have a DMARC record, your emails—including legitimate appointment confirmations—are at high risk of being rejected or sent straight to spam.

    DMARC acts as the final judge. It tells receiving servers what to do if an email claims to be from your clinic but fails the security checks (SPF/DKIM).

    1. The "Safe" Starting Configuration (p=none)

    We recommend starting with a "Monitoring Only" policy. This ensures that legitimate emails are never blocked, but it allows you to start collecting data on who is sending email on your behalf.

    Action: Add the following TXT Record to your DNS settings.

    • Host / Name: _dmarc

    • Value: v=DMARC1; p=none; rua=mailto:admin@your-clinic-domain.com

    (Note: Replace admin@your-clinic-domain.com with the IT email address where you want to receive daily security reports.)

    2. Why Start with p=none?

    Setting the policy to none is the industry standard for the first phase of implementation.

    • Risk-Free: It tells Google/Microsoft: "If an email fails security checks, let it through anyway, but tell me about it in a report."

    • Visibility: It helps you identify unauthorized services (shadow IT) sending mail as your domain before you lock the door.

    3. Moving to Enforcement (p=reject)

    Once we have confirmed (via the reports) that only valid sources like Brevo and your Office 365/Google Workspace are sending mail, we will advise you to update the record to p=reject.

    Important: Do not set your policy to quarantine or reject immediately without a monitoring period, as this can accidentally block your own legitimate emails if a configuration is missing.

    4. How to verify it is working

    After adding the record, you can verify it using a free tool like MXToolbox or Dmarcian.

    1. Enter your domain (e.g., kronborgtand.dk).

    2. Look for the green status check next to "DMARC Policy".

    3. Ensure the tag reads p=none.

    Published