Enforcing DMARC policies on incoming email - Amazon WorkMail

Enforcing DMARC policies on incoming email

Email domains use DNS records for security. They protect your users from common attacks such as spoofing or phishing. DNS records for domains often include DMARC TXT records, which are set by the domain owner that is sending the email. DMARC TXT records include policies that specify actions to take when an email fails a DMARC check. You can choose whether to enforce the DMARC policy on emails being sent to your organization.

New Amazon WorkMail organizations have DMARC enforcement turned on by default.

To turn on DMARC enforcement

  1. Open the Amazon WorkMail console at https://console.aws.amazon.com/workmail/.

  2. For Organizations, choose the name of your organization.

  3. In the navigation pane, choose Organization settings.

  4. Choose Advanced.

  5. For Inbound DMARC Settings, choose Edit.

  6. For DMARC enforcement, select On.

  7. Select the acknowledgment check box.

  8. Choose Save.

To turn off DMARC enforcement

  • Follow steps 1-8 in the previous section, but for step 6, choose Off instead of On.

Using email event logging to track DMARC enforcement

Turning on DMARC enforcement might result in inbound emails being dropped or marked as spam, depending on how the sender configured their domain. If a sender misconfigures their email domain, your users might stop receiving legitimate emails. To check for emails that aren't being delivered to your users, you can enable email event logging for your Amazon WorkMail organization. Then, you can query your email event logs for inbound emails that are filtered out based on the sender's DMARC policies.

Before you use email event logging to track DMARC enforcement, enable email event logging in the Amazon WorkMail console. To get the most out of your log data, allow some time to pass while email events are logged. For more information and instructions, see Turning on email event logging.

To use email event logging to track DMARC enforcement

  1. In the CloudWatch Insights console, under Logs, choose Insights.

  2. For Select log group(s), select your Amazon WorkMail organization's log group. For example, /aws/workmail/events/organization-alias.

  3. Select a time period to query.

  4. Run the following query: stats count() by event.dmarcPolicy | filter event.dmarcVerdict == "FAIL"

  5. Choose Run query.

You can also set up custom metrics for these events. For more information, see Creating metric filters.