Email security is not a “one and done” project. Successful email authentication requires ongoing monitoring and maintenance in order to ensure that it is correct and up-to-date with all of your organization’s email-sending services.
If you can get authentication right, you can eliminate exact-domain spoofing attacks, blocking the most dangerous and hard-to-detect inbound phish.
This six-step approach to operationalizing email authentication through DMARC enforcement will help you to develop, communicate, and manage the authentication process across your organization.
Step 1: Gain DMARC visibility
DMARC generates a lot of valuable data. Entering a DMARC record of p=none (also known as monitoring mode) will start the delivery of aggregate (RUA) reports that have all of the information needed for you to gain a full understanding of your domain. From these reports, you will be able to create a full inventory of your email senders, including legitimate, malicious, and unknown.
The problem? These reports are essentially a data dump of sender IP addresses into an XML file. To create a full map of your email-sending environment, you’ll need to dedicate resources to monitoring and analyzing those reports.
It’s important to dedicate the proper resources to this for a few reasons: First, monitoring these reports should occur over at least 30 days to make sure you identify all legitimate senders. That way when you move to DMARC enforcement, good emails aren’t blocked. Additionally, you’ll need to identify email senders that use a cloud service for sending their emails; for example, some marketing tools use email service providers (ESPs) that will register in RUA reports instead of the actual sender.
For example, YouCanBook.me uses SendGrid under the hood, meaning emails sent as YouCanBook.me could be categorized as emails sent by SendGrid. Not all senders use the same naming conventions so you’ll need time to match IPs or other identifiers with specific vendors to build an accurate list.
Step 2: Manage shadow IT and coordinate with internal stakeholders
Once you have a full view of your email ecosystem, it should be pretty easy to identify which senders on that list are (or should be) authorized. In the process, you’ll most likely uncover services that are not yet authorized by your IT staff, but which have a legitimate business purpose, referred to as “shadow IT.” You’ll need to find the business owners and end-users of these services to confirm that they should be allowed to continue sending email on the domain.
This is an opportunity to lock down your environment and ensure that all these shadow IT services are in compliance.
Step 3: Create an allow list and configure authentication records
Once you’ve identified authorized senders, you’ll need to configure SPF and DKIM for each of these services in DNS. For DMARC to work, either SPF or DKIM must be correctly configured, so mistakes at this stage can block good email.
If you are relying on conventional DNS, that means you can only generate static records. In other words, one single SPF record needs to authorize all approved senders, and you’ll need to update that SPF record whenever your sender list changes. When handling this process manually, there are additional limitations within the authentication standards, such as the 10-domain lookup limit for SPF records. To get around this limitation, many organizations resort to “SPF flattening,” which means listing out all the IP addresses for each service they want to authorize rather than listing the services’ domains. The problem with that is you then must keep tabs on which IPs each service is using — and those can change frequently, without notice.
Step 4: Broadcast the program to your organization
Once you finish step 3, you will have everything you need to go to enforcement, but because a program like this will have immediate value — and negative consequences if not executed correctly — it’s important that you publicize the intended results and details of the program within your organization. Now is also a great time to clarify your onboarding policy for new cloud services so no good email is blocked in the future.
DMARC enforcement provides value across the organization, and sharing the value can help quickly get everyone excited and onboard with the process.
Business units and benefits
Marketing: Improve brand trust and increase email deliverability for outbound marketing campaigns. Boost brand impression with BIMI.
Information Technology:Increase visibility into IT governance and control; know which emailing apps are spun up (shadow IT) and who is impersonating the company
Security/Operations: Enhance InfoSec efforts and stop a main source of spear phishing; get additional insight into attacks on your organization
Finance: Expand compliance best practices and reduce cyber insurance premiums
Step 5: Move to enforcement
DMARC enforcement means either a reject policy of p=reject (unauthorized emails are completely rejected by the receiving server) or a quarantine policy of p=quarantine (unauthorized emails go to spam). It’s recommended to start with quarantine so you can continue to monitor service configurations and confirm that good email isn’t being delivered to the junk folder. When you are certain that things are working correctly, you can move to a reject policy so no unauthorized emails from your domain are delivered.
Step 6: Monitoring, reporting, and ongoing configuration
Email authentication doesn’t stop when you reach enforcement. As your organization grows, new services can be added or removed at any given time. If you do not keep up with this ongoing process, good emails can end up being blocked. Services also change their underlying configurations without notice, which could lead to critical email workflows breaking.
You’ll also need to formalize a mechanism for monitoring and reporting on the results of your authentication program.
Valimail addresses and overcomes the most challenging aspects of email authentication: visibility and sender management. Sign up for a free DMARC Monitor™ account for enterprise-grade reporting and visibility into all emails being sent from your domain.
If you’re interested in giving automation a try, sign up for DMARC Monitor today.