Deploying DMARC can seem confusing and overwhelming at first. In our previous blog post on the topic, we talked about basic tips to keep in mind when deploying a DMARC record. In this post, we are going to share some of our knowledge and expertise to help you to not just publish the required DNS record, but also to deploy and keep your email domain protection aligned with the best practices in sender authentication.
1. Implement SPF Through Collaboration with All Departments in Your Company:
SPF is the protocol that allows you to validate IP addresses authorized for sending emails on behalf of your brand. It is highly recommended to check the validity of all senders authorized to send emails on your behalf to ensure that you’re getting the most efficiency and protection from DMARC. This means interacting with all departments in your company to obtain a full list of third-party marketers, OTP email notification providers, etc. This will allow you to know exactly who is sending legitimate email messages, and why.
2. Utilize DKIM Signatures:
The DKIM signature exists as an authentication mechanism with functions similar to those of SPF. The added benefit is that it allows you to assign a different signature for each of your senders. This signature works with a pair of keys which should be changed periodically. DKIM has the option of updating the key pair for one sender at a time, making it easy to manage and update individual DKIM signatures without having to change the key for all senders every time an individual key needs to be changed. Though using DKIM signatures isn’t necessary for a successful DMARC implementation, it is recommended do so. Our blog post about Implementing DKIM offers a step-by-step guide through the deployment process.
3. Implement a “p=none” Policy
A “p=none” DMARC policy allows mail transfer authorities (i.e. Google) to send DMARC email reports containing information about the emails being sent on behalf of your domains. A DMARC policy deployed in a domain’s public DNS will include all subdomains associated with the main domain’s name.
4. Ensure Parked Domains Are Covered by Your DMARC Policy
Parked domains are domains that differ from your original website URL, but display the exact same website. Parked domains are often highly similar to a site’s actual domain name. Parked domains under your control and non-mail domains should also be covered by a DMARC policy. If those domains remain unprotected, fraudster see them as an open door, allowing them to take advantage of the domain to use for fraudulent activity.
5. Monitor DMARC Reports
After you have declared a DMARC policy, the next step is to monitor the information received through reports from Mail Transfer Agents. By processing and understanding those reports, you can get a detailed view of all email activity in your domain. This allows you to increase control of the email channel, and to strengthen the policy mode from none to reject.
6. Align Your DMARC Policy to Your Organization’s Security Strategy
Once you have listed all your email and non-email domains and validated authorized senders, the next step is to align the DMARC Policy Goal to your organization’s security strategy. This step is important, as not all business need to reject messages (p=reject), and only some will need to remain in monitor mode (p=none). This evaluation must be carried out with the help of an Email Authentication Expert – increasing DMARC security will benefit your company’s reputation, reduce risk, and lower the loss expectation derived from email impersonation, so it’s imperative that it is carried out properly.
By following these 6 tips, you can create a DMARC policy that provides the highest possible level of security for your organization while allowing you full transparency into the policy. By protecting your organization, you are also ensuring that your end users are protected from fraudulent or malicious emails sent on your behalf.
To learn more about DMARC, take a look at DMARC Compass by Easy Solutions.