Implement the DMARC Analysis service

The Cyber Security Unit (CSU) recommends that agencies adopt a safe, iterative enforcement strategy which prioritises email delivery over domain protection in order to prevent false positives during the policy deployment process.

You can achieve this by following the steps outlined in the DMARC overview guide from the Australian Cyber Security Centre (ACSC) as a starting point, then progressing to the implementation guides and steps below.

Start-up guides to the deployment process from Mimecast:

• Start DMARC in 5 steps
• Enforce a DMARC reject policy in 5 steps

Configuration for the Queensland Government

The bolded script below is specific to Queensland government agencies and should be the ‘end state’ best practice when configuring agency DMARC records. This approach also eliminates the need to manually modify the target RUA and RUF email addresses in the event of a change of DMARC analysis service vendor.

Summary for email sending domains

Summary for non-email sending domains

Microsoft Office 365

For agencies using Microsoft Office 365 as their primary email platform, follow guidance from Microsoft for configuring DMARC.

Vision6 – Marketing Email Service

Vision6 is used across several agencies for community engagement, outreach, marketing and awareness campaigns. Agencies should implement Vision6’s recommended SPF, DKIM and DMARC configuration.

Third-party email service configuration

An agency’s domain might be blacklisted if a third-party’s email service is abused by hackers or has a large number of bounced emails. Agencies should perform a risk assessment for all third-party email services and adopt one of the following strategies in descending order of preference to mitigate potential risks.

You’ll need to delegate a sub-domain for the service; e.g. ‘comms.agencydomain.qld.gov.au’ for marketing and community outreach emails using services like Vision6.

Alternatively, or in addition to the above, you can use a unique DKIM key for the third-party service. This unique DKIM key must only be used for emails from the third-party email service and should not be reused for any other outbound email flow.  A valid DKIM key will allow emails to pass DMARC.

Trouble shooting third-party email services

In rare cases, if the third-party email service prescribes and supports it, you can configure the service to re-write the ‘5322.FROM’ email address (which the user sees) to a valid email address at the vendor (with the same org domain as the envelope ‘5321:MailFrom’ address).

The address will then pass SPF and SPF alignment, and/or DKIM and DMARC validation, and append a REPLY-TO email address to the email for the agency contact sending the email, e.g.:

• RETURN-PATH: bounces@emailserviceprovider.com
• FROM:  messages@emailserviceprovider.com
• REPLY-TO: john.doe@agencydomain.qld.gov.au

It’s important to note, that while this approach is valid, high-risk emails can appear as a phishing attempt if the ‘FROM’ address is coming from an external address and not the sending agency.

If you’re directed by the third-party vendor, you should include the third-party vendor’s SPF in the agency’s SPF entry to allow SPF to pass.

Additional guidance on how to configure third-party email services can be found at:

• The vendor’s support site
• DMARC’s Email Service Provider register
• DMARCIAN – How to send DMARC compliant email on behalf of others
• DMARCIAN – Full Sub-domain Delegation
• DMARCIAN – Sub-domain delegation with CNAMES.

CITEC Service Desk

Contact the CITEC Service Desk at service@citec.com.au for DMARC related technical support issues.

Cyber Security Unit

Contact the Cyber Security Unit (CSU) at CyberSecurityUnit@qld.gov.au if you need more information about the DMARC analysis service.