Integrating DMARC with SPF

Did you know that if you add a DMARC record, you might have to update your SPF record? I attended the Online Trust Alliance (OTA) Email Authentication & DMARC Training class a few months ago and learned some great best practice recommendations. Although there has been a lot of buzz lately about DMARC, like Yahoo! mail being DMARC compliant, some of the tips below haven’t been wide spread and so I thought I would share.

As a general rule prior to DMARC, senders should authenticate their emails with an SPF record that ends with a hard fail mechanism (-all). This instructs the receivers to reject email messages that appear to be coming from the sender but fails the authentication test. As mentioned in the Don’t Receivers use SPF and DKIM results already? section and here, receivers couldn’t always use that failing mechanism and delivered the emails anyway. Thus, DMARC was born and is changing the ground rules. As recommended by the instructors, implement DMARC in the following phases:

Phase I – Monitor

Until you are a DMARC expert, start off in monitor mode. Start collecting the aggregate and forensic reports to see if anyone is spoofing or phishing your brand. Conduct an audit to ensure that all IPs, domains, and sending environments are accounted for and are properly being authenticated. In your DMARC text record, set the policy to monitor mode, or “p=none.” Your SPF failing mechanism should match, so set it to reflect a soft fail (~all).

Phase II – Quarantine

You can instruct the receivers to quarantine emails that fail the authentication tests by putting it in the spam/junk folder or quarantine it in their filters. Change the DMARC text record to policy mode to “p=quarantine.” Keep your SPF record set with the soft fail mechanism.

Phase III – Reject

Once you’re absolutely certain that you have identified all of your IPs, domains, and sending environments, you can instruct the receivers to reject the spoofed and phished emails by changing the DMARC policy to “p=reject.” Remember to update your SPF record to include a hard fail.

In case you’re wondering, it is not necessary to make any changes with your DKIM records, like setting it to test mode.

The truth is that you may never know if the receivers are actually enforcing the policies and failing mechanisms, as it is up to each of them to decide what to do with the email. Senders can quickly get inundated with the DMARC reports. Return Path’s Domain Assurance can help with both issues though data collection and reporting that can help you make sense of it. Go here for more information.

Do you have any other DMARC tips you’d like to share?  Leave them in the comments below.

minute read

Popular stories

Products

BriteVerify

BriteVerify email verification ensures that an email address actually exists in real-time

DemandTools

The #1 global data quality tool used by thousands of Salesforce admins

Everest

Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality

Solutions

Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time