Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

How to use DMARC to help you implement DMARC

Author: Todd Herr
Robot hands adjusting gears of other robot hands

Many people in the software industry are familiar with the joke that says that the definition of the word “recursion” is “see recursion,” and the title of this article echoes that joke, but its message is serious: DMARC really can be used to assist you in doing a DMARC implementation for your domain.

A successful DMARC implementation requires that a domain or brand authenticate all the mail streams and then publish a DMARC policy of “p=reject,” which we refer to here at Valimail as “being at DMARC enforcement.” When a domain is at enforcement, it has published a DMARC policy that requests that unauthenticated mail be rejected or quarantined by mail receivers that do DMARC validation checks. This ensures that the domain cannot be spoofed or otherwise impersonated by malicious actors using that domain in the “From” field of their messages.

Being at enforcement is a powerful weapon to use in defense of a domain, but it is one that can cause self-inflicted wounds. If a domain moves too quickly to enforcement before making sure it has got all of its mail streams authenticated, it can end up getting its own mail bounced, with all the problems that ensue from a failed send. The fear of such errors prevents many organizations from getting to enforcement, or perhaps even starting their journey to implement DMARC in the first place. We believe that fear is unfounded — if you know how to use DMARC effectively.

Most people understand DMARC’s policy feature, which provides a domain owner the ability to request treatment for mail that fails authentication, but that’s not all that DMARC is. The other key feature for DMARC is what’s called aggregate reporting, where entities that do DMARC validation and policy enforcement on inbound mail (usually large consumer mailbox providers) will also produce statistical reports showing the results of authentication checks.  Per the DMARC specification, these reports should be sent to domain owners at least every 24 hours, and they’re sent to an email address that’s advertised in the domain owner’s DMARC DNS record.

The value of these reports for domain owners trying to understand their mail streams is enormous. In order to receive these reports, all one must do is publish a DMARC record with a policy of “p=none” and a rua tag pointing at a mailbox that can receive the reports. (It’s easier that you think: You really only need 3 basic DMARC tags to make a complete, correct DMARC record.)

The reports are XML documents, meant to be machine readable, and will contain counts of authentication result checks, grouped by sending IP address, authentication results, and the disposition of the messages (whether they were delivered, deleted, or sent to a spam folder). You can inspect these reports for IP addresses known to be in use by your organization, and if authentication failures are reported, you can then take steps needed to address those failures.

Regular consumption of these reports over time, along with efforts to fix any authentication problems, can move the organization forward in their journey to enforcement.

In a complex organization, it can be a real challenge to audit all mail streams for authentication, no matter how dedicated the IT staff is to the task. This is especially onerous in the cloud era, when most of the email sent by most organizations does not originate from internal mail servers with known IP addresses, but from a variety of cloud-hosted services that might use any number of IP addresses. Identifying which services are sending mail “from” the domain is a critical step, and that can be especially daunting if all you have are IP addresses.

However, without knowing where all the mail streams are, you can’t put authentication in place. Although it may sound counterintuitive, DMARC is the best tool available to help you implement DMARC and eventually get to enforcement.

Back to blog
Published October 21, 2020
  • DMARC
  • DMARC enforcement
Author: Todd Herr
Todd Herr is a Senior Technical Program Manager at Valimail and a Messaging Area Co-Chair for the M3AAWG Technical Committee. He's been working in the email ecosystem since the previous millennium, and has been employed by companies across the email industry, including mailbox providers, senders, and various vendors. He thinks Spam is best served grilled on a block of rice, with both the Spam and the rice wrapped together with nori.
Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Website terms of use
  • Do not sell my personal information
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers
Subscribe to our newsletter

Get exclusive content on improving email security and deliverability from the experts at Valimail.

  • *
    I understand that I may proactively manage my preferences, or opt-out of Valimail communications at any time using the unsubscribe link provided in Valimail email communication. I confirm that I am over the age of 16. The information that you provide will be used in accordance with the terms of our Privacy Policy.
  • This field is for validation purposes and should be left unchanged.