Email Security and Authentication

How do I achieve DMARC compliance?

minute read

Post Image

So you decided to implement a stricter DMARC policy to protect yourself from a recent spoofing attack. Great job! But upon review of your non-complaint mail sources, you realize there is an authorized vendor, but they are not DMARC-compliant. What do you do?

One of the more important details to identify during the DMARC authentication setup process is identifier alignment, often seen in non-compliant mail sources. Before we get into the alignment discussion, we need to understand the domains authenticated during a DMARC policy check.

Process of DMARC authentication step by step

Example of a DMARC Header:

Example of a DMARC header

For mail to authenticate successfully with DMARC, either the DKIM signature or the SPF check need to return a DMARC pass. This would be sufficient for those simply on DMARC monitoring mode (p=none). But once you move to a stricter policy (p=quarantine or p=reject), you would also need to ensure the domains mentioned in the headers align or match each other.

For email to be considered DMARC compliant, the policy domain (Header.FROM) should match either the SPF domain or the DKIM domain. This is called identifier alignment. The alignment can be specified in either strict mode (an exact match) or relaxed match (match of organizational domain).

Coming back to the original question, you have a few options when sending from third-party sources.

  1. Delegate a subdomain so they can put their own DKIM and SPF records in the DNS. The third-party sender does not need to publish a DMARC record, as your record under the organization name will cover it.
  2. Give the third party a private DKIM key to sign the email and publish the public key in your DNS, and/or add their sending IP (maybe via an SPF include) to your SPF record.

There might be a scenario in which the vendor is not capable of DKIM-signing the email. Create a subdomain specifically for these email flows. Using a specific subdomain with a p=none policy will allow you to monitor non-compliant email, and allow your primary domain to publish a p=reject policy without blocking non-compliant emails.

You might be feeling a little overwhelmed at this point, but that’s totally ok. That’s why we’re here! Reach out to us and we’ll help you figure out what’s going right, what’s gone left, and how to get your DMARC into tip-top shape!