In the first blog post of this series, we focused on visibility and knowing who is sending on your behalf. Now, we’ll move on to the second leg of the race—Sender Configuration.
We offer two solutions: Valimail Monitor and Enforce. Our ultimate goal is to get to the finish line of brand protection. With Monitor, you will need to configure it yourself, while with Enforce, it is automated, quick, and simple.
Race stage two: Authorizing sending services
Many organizations that attempt to get to DMARC enforcement are afraid to set an enforcement policy because they’re not confident that they have identified all of the sending services. In fact, most DMARC vendors that rely on IP addresses only identify the top 2% of cloud services. This can end up blocking legitimate email if the service is not included in your DMARC policy.
Valimail’s patented Precision Sender Intelligence helps to identify thousands of sending services by name rather than IP address. This simplifies the authorization process to add or remove sending services without risking a compromise in email security. Getting this visibility is available in both Monitor and Enforce. By reviewing the data in the “Authentication Report” tab, you can get a clear idea of which entities are sending mail on behalf of your organization.
There are three main categories of senders:
- Sending services: These are all the vendors that Valimail could recognize as sending on behalf of your organization.
- Internal sources: These will mostly be your internal relay servers or emails that have been signed with one of the DKIM keys that you published for your domain.
- Unidentified senders: These are mostly emails that originate from IP addresses that Valimail does not associate with any known vendor and could potentially be malicious.
Once you’ve identified the sending services, Monitor users will need to reach out to the owners or managers of each sending service. At a large company with hundreds of people, this task could take months. Sometimes this can be a hassle as it requires you to ask around the organization – who is using this service? Your co-workers might not respond or don’t know.
Speed boost #1: Fast-track sender insights with Enforce
Valimail Enforce offers service owner insights, which help you automatically and quickly track down the owners of each sending service that your company utilizes.
With Enforce, adding and monitoring additional sending services is a breeze! Allowing you to rapidly identify and make quick decisions about those sending sources, to secure your domain quickly.
Almost all sending services will show up automatically. Occasionally, you might need to add a new service to the “Enabled Senders” list on the Configuration page for your domain. You can also add DKIM keys as well, to enable Enforce to manage those keys for you.
The next step is to ensure that all traffic from the service is authenticated with SPF and/or DKIM (depending on which method the vendor supports) to ensure DMARC compliance.
Speed boost #2: Outpacing SPF challenges with Instant SPF
Enforce has unique and patented SPF technology, Instant SPF, that ensures your SPF record is dynamic, protected and also mitigates the SPF 10-lookup limit.
Our Instant SPF automation automatically manages the full collection of SPF records necessary to support all of your sending services – even if the full SPF record would otherwise result in more than ten DNS lookups (which would violate the SPF specification and cause deliverability issues). No fuss, no muss. We’ve got this!
Monitor automatically takes in DMARC reports and builds a view of sending services and geographic email sources found to help you get a snapshot of your domain’s use in the global email ecosystem.
While Monitor doesn’t have the automated sender configuration, DMARC policy management, or SPF record management features of Valimail Enforce, you’re still able to update DNS records as you normally would to add additional sending services to your SPF record and implement new DKIM keys with providers as needed. Be careful not to add so many services to your SPF record as to go over the 10-lookup limit of the SPF protocol. Too many lookups means inbox provider SPF checks could fail.
In summary, Monitor can help you quickly identify all senders and point out any bad actors. You’ll need to identify service owners and configure them on your own plus manage your SPF record and DKIM keys.
Race to configuration results:
Valimail Enforce – 1st place
Valimail Monitor – 2nd place
Depending on the complexity of your email ecosystem, you may want the service owner insights, one-click sender configuration, and always accurate SPF record provided by Enforce. However, both solutions provide the value of knowing all of the sending services sending email on your behalf.
In the next leg of the race, we’ll tackle how to manage your DMARC policy and the path to moving to enforcement.
Interested in learning more about Enforce?
Wendy Bloechle, Director of Product Marketing at Valimail
