How DMARC Can Facilitate GDPR Compliance

By now, you’ve undoubtedly read a lot of stories about how one technology or another is going to provide a magic solution for compliance with GDPR, the European privacy law that went into effect May 25.

European flag photoThis is not that kind of a post. GDPR is, frankly, extremely complicated, and there are no silver bullets. I’m not going to be all sunshine and rainbows about it: GDPR compliance is probably going to require a lot of time and a lot of lawyers. (And the definition of what GDPR compliance even means will probably change over the coming months and years, as various cases work their way through the courts.)

There is, however, one extremely useful tool you should add to your compliance toolkit: DMARC.

The value of DMARC for GDPR is quite simple: It provides visibility into all the services that are sending email in your name.

At a time when the average company uses 91 different cloud-based marketing tools — many of which send email “from” you — this is a handy thing to have.

That’s because GDPR requires you to have Data Processing Agreements (DPAs) with every cloud service provider that handles European consumers’ data on your behalf. And email addresses count as consumer data — not to mention any other data you might be sharing with a provider of email services, such as the names associated with those email addresses, open rates, tracking of any links the recipients might click on, etc.

The problem is that most companies have only a vague idea of which the cloud services they use. Bob in Marketing might have set up an account with some Salesforce add-on years ago that no one outside his team is using and nobody in IT ever heard about. But meanwhile, it’s sending email to customers and prospects.

In most organizations, there’s no easy way to find all these “shadow IT” cloud services. But if they send email using your company’s domain name(s) in the From fields, DMARC reveals these services.

That’s because, once you have DMARC in place, you get reporting. If DMARC is correctly configured for your domains, every message with your domains in the “From” field that hits a DMARC-compliant mail gateway (which translates to 75% of all the inboxes in the world) will generate a line in an aggregate report (RUA) that gets sent back to you. These reports give you the data you need to identify the senders — and from there, to make sure your company has a DPA in place with each one.

For this purpose, DMARC can be set to a monitor-only policy (p=none). Although that provides no protection from email impersonation, it does allow companies to start collecting aggregate reports and gaining visibility.

And once you move your DMARC policy from simple visibility to enforcement (p=quarantine or p=quarantine), you can guarantee that only those senders with which you've signed a DPA will be authenticated and therefore able to send email on your behalf. That will then protect you from any unintended distribution or collection of data in your name.

Is DMARC a GDPR silver bullet? No. But it makes a key step in compliance a whole lot easier.


Editor's note: DMARC reports can be very difficult to parse. They’re essentially raw XML files listing senders by IP address. Valimail’s Service Identifier translates those into a much more readable list of services, and does it with great accuracy and detail. Valimail's free domain analysis shows this in action, and can give you a snapshot of exactly who is sending mail for you.

Finally, Valimail’s infrastructure is also GDPR-ready, Privacy Shield certified and SOC2 Type 2 compliant. And we handle no PII (personally identifiable information), so you’re not putting any customer data at risk when you use us to automate your DMARC deployment and management.


Flag photo by Rock Cohen/Flickr 

Seth is the director of industry initiatives for Valimail.