In our first blog post of this series, we focused on visibility and knowing who is sending on your behalf. In the second blog post – we tackled Sender Configuration – where you decide which senders you want to enable.
With both of our solutions, Valimail Monitor and Enforce, our ultimate goal is to get you to the finish line of brand protection. If you’re at this point in the race with Monitor, you’ve taken on the configuration yourself and will set up your DMARC policy manually. If you have been using Enforce, then setting up your DMARC policy is as easy as the click of a button.
Race stage three: Setting your DMARC policy to enforcement
Once all of your sender configurations are set on your top-level domain and subdomains, you are ready to move to a quarantine policy. The end goal for implementing DMARC for a domain will always be getting to “enforcement,” – meaning setting the DMARC policy to p=quarantine or p=reject. Ultimately, you don’t want to let an email that doesn’t pass authentication checks reach the inbox. A DMARC policy of quarantine means that unauthenticated mail sent on behalf of your domain will be delivered to the recipient’s spam folder instead of the inbox.
If the DMARC policy is set to reject, unauthenticated mail will be rejected by the recipient’s email gateway, and the sender may also receive a bounce-back message telling them that the email was not delivered.
With Valimail Enforce, you will analyze the data on the “Authentication Report” to determine if it is now safe to move up to a DMARC policy of quarantine or reject for that domain. Ideally, all of the authorized sending services should have a DMARC pass rate of as close to 100% as possible. This also applies to emails originating from internal sources. Look to see which sending services are in the “Mostly Passing” column of the “Authentication Report.”
Please note that for email services that send significant amounts of email, it is almost impossible to have a 100% DMARC pass rate because there will always be a small number of inbox providers or mailbox services that route the email in a way that can break authentication. The same goes for email services that only support SPF authentication since forwarding can break SPF authentication. It is unlikely that these services will always have a 100% DMARC pass rate.
Keep in mind that the recipient’s email gateway is the one deciding whether or not an email should be delivered or marked as spam. In rare cases, the recipient’s email gateway may not be set up to check for DMARC results, in which case they will accept all emails, even unauthenticated ones.
With this in mind, we recommend that you first switch the DMARC policy to p=quarantine and continue monitoring the email traffic to look out for potential senders that may have been missed in the discovery process. This may be the time that any previously unidentified service owners may come forward if their email flow has been impacted.
After two to three weeks, if there are no reports of impact on email flow and no new service owners have come forward, you can switch the domain policy to p=reject.
Setting the policy to reject is recommended but not mandatory for your domain to be considered at DMARC enforcement unless you are a federal agency. You may choose to stick with a policy of quarantine if that best suits your organization’s needs, knowing that unauthenticated emails will not be getting to recipients’ inboxes, but rather to their spam or junk mail folders. Alternatively, if your organization’s email environment is fairly simple and you are confident in the way it is set up, you can set the policy to reject and skip the quarantine phase.
Speed Boost #1: Enforce allows you to set your DMARC policy with the click of a button without needing manual DNS changes
In addition, Enforce customers have access to Valimail’s hands-on, highly-rated customer support team right in the app. We’re here to help you on your journey to DMARC enforcement.
Potential speed trap for Monitor users: Risk of blocking good email
When trying to get to DMARC enforcement manually, you will commonly need to make dozens (or sometimes hundreds) of DNS changes as you work toward fully configuring SPF, DKIM, and DMARC. Due to the critical nature of DNS, many organizations have strict change control processes that add days or weeks of delay for every DNS change. Once a change has been made, the effects of a DNS update might not appear for days, and you won’t know if you’ve broken something until complaints start rolling in.
For every sending service, you will have to repeat this cycle. In the meantime, every new service you onboard will be blocked by your own DMARC policy until the DNS change control process is complete. For example, if you’ve switched payroll vendors, you’ll need to update SPF, DKIM, and DMARC records to add the new service and remove the old one. Until the next DNS update, your DMARC policy will allow email from the old payroll service to be sent from your domain and will block email from your new payroll service.
Even if you have reached DMARC enforcement using DIY solutions and manual processes, it can be difficult to stay there. Manual configuration will always be tedious and error-prone. If you configure SPF, DKIM, and DMARC incorrectly, good email will get blocked, and you will need to move back out of enforcement.
If you are reliant on manual DNS updates, you could end up facing change window delays that could be days or weeks for each update. This is why some organizations never reach enforcement or, if they do, are unable to stay there.
Finish line: DMARC enforcement means your brand is protected
If you made it to the end of the race – Congratulations! Your organization’s email domain is now at DMARC enforcement, and you’re getting the benefits of email authentication, including:
- Improved security against phishing & spoofing,
- Increased trust & credibility
- Enhanced reputation & brand image
- Improved email delivery rates
Race to DMARC enforcement results:
Valimail Enforce – 1st place
Valimail Monitor – 2nd place
In summary, with Monitor, you’ll have to do the manual set-up to get your policy to DMARC enforcement and be careful not to make DNS errors. With Enforce, you can have peace of mind because it provides continuous protection by authenticating your email in real-time and proactive alerting you of changes so you can ensure good email never gets blocked.
The race is actually not over because staying at DMARC enforcement is the next challenge. In our final blog of this series, we’ll discuss how you can stay in the winners’ circle. You’ll also learn how to stand out in the inbox by adding your logo to every email. Now that you’re at DMARC enforcement, you can take advantage of BIMI.
Interested in learning more about Enforce?
Wendy Bloechle, Director of Product Marketing at Valimail
