Why DMARC is Not Set It and Forget It

Email DNS (Domain Name Service) records have become the linchpin for improved email delivery. Without the four major components (discussed below), your company’s outbound messages are at high risk of being rejected by inbox providers.  Worse, without proper Email DNS configurations, your brand is at risk of falling victim to phishing or spoofing scams.

To get email delivery to it’s highest levels, you need:

  • MX (Mail Exchanger): Resource record specifying mail server responsible for accepting email on behalf of a domain.  Without an MX record, no email is coming to your domain and most, if not all, recipients will check for an MX record before accepting email from a domain.
  • SPF (Sender Policy Framework): Email authentication method designed to detect spoofing via authorized domain list.  With SPF, you designate what IP addresses and domains can and cannot send on behalf of your domain.  Recipient systems check this list and may reject email from unlisted sources.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Email validation system designed to enable inbox providers to provide feedback on email that is sent from your domain.  DMARC enables senders to detect and prevent email spoofing (forged sender addresses used in phishing and spam efforts).
  • DKIM (DomainKeys Identified Mail): Email authentication method designed to enable senders to sign their emails so that inbox providers can easily detect spoofing via digital signature.

DMARC works best when senders have adopted both SPF and DKIM and achieving DMARC compliance using SPF and DKIM is a vital step in ensuring your emails are delivered.

How do you become DMARC Compliant?

The importance of reaching DMARC compliance can’t be overstated.  Essentially, your company’s email reputation, and email deliverability, relies on this protocol.

Once DMARC has been implemented, it allows you to:

  • Monitor, detect, and fix real-world problems with your email delivery
  • See the email volumes you’re delivering to inbox providers (including which providers)
  • Identify threat emails purporting to come from your domain (i.e., spoofing/phishing using your domain)
  • Defend your reputation against spoofing attacks using your domain.

Essentially, DMARC gives you the information and tools necessary to improve your email deliverability, defend your brand from spoofing, and even reduce the amount of spam on the Internet.  Without DMARC, inbox providers will begin to see your email as riskier than your DMARC-compliant competitors and more of your email will end up being classified as Bulk, Junk or even denied.  What you need is a way to decipher all of the information that DMARC reports provide.  Tools like MxToolbox Delivery Center give you that.

Set It and Forget It?

It is fair to assume that once you configure DMARC correctly, you’re done with the process and email will flow freely and without incident.   Unfortunately, this is not the case.  Your business will change and so will your email configuration.  If you want your company’s email delivery rates to stay consistently high, then you must routinely monitor and adjust your DNS records as your business evolves. There are several routine scenarios that can cause issues if you ignore your settings.

Adding a Sender

Your company’s Marketing Department adds a new email vendor, Sales adopts a new CRM or Support trials a new online support tool.  Now, you must add each of these providers to your SPF records, verify them, and setup DKIM with them otherwise emails from these systems will be rejected.  Next comes a breaking in period where you need to monitor delivery rates of email sent from these platforms.  You might have to temporarily lower your DMARC policy to Quarantine or None to ensure that email from these sources is accepted.  You need a tool to continually monitor your DMARC compliance and email deliverability to ensure that your email is reaching your customers and business partners.

A Trusted Sender is Blacklisted

The primary safe guard for email delivery is still blacklisting IP addresses and domains that are frequently used in spam, phishing and malware attacks.  An inbox provider doesn’t even process email from a blacklisted IP.  Blacklisted email is typically not delivered, even to junk.  If you or one of your email providers is sending from a blacklisted IP address, your email delivery is in jeopardy.  Inbox providers that utilize DMARC for feedback will only report on SPF, DKIM and DMARC compliance of emails sent, they do not report on blacklisted IPs!  You need to monitor your sending IP addresses for blacklisting to ensure your email deliverability.

Providers get Compromised

Hacks are a regular problem for every business and your email service providers could be a target as a legitimate source of email.  In fact, MxToolbox has seen individual inboxes compromised at major inbox providers several times in the last years.  If a provider is hacked, then any email sent via that provider will automatically pass SPF, DKIM and DMARC checks.  How would you know if this happens?  Only by monitoring your email deliverability and examining the forensic reports sent back by the recipients via DMARC reporting.

Fraudulent Email Volumes Dwarf Legitimate Email

With low outbound email volumes or with valuable brands, the fraudulent email volume could greatly exceed the legitimate volume of email.  In cases like this, monitoring DMARC reporting is invaluable so that your team can see the spike in message volume and change your email posture.  Even when using a Reject policy, some providers might report your domain to blacklists because of the overwhelming spam signal.  You need to monitor your domain as well as sending IP addresses for blacklisting.

Exceeding SPF Includes

As your organization grows, you will add new providers: CRMs. Market Automation, Support, Inbox, etc.  Each provider you add will need to be entered into you SPF record and each of these providers will have a range or ranges of IP addresses in their own SPF records.  The RFC on SPF allows for at maximum 10 includes in the tree, after which no other includes are read.  You might add a provider and exceed the limit of SPF includes or a provider might add a new range to their SPF and exceed the limit.  Without monitoring your email delivery and email configuration, you would never know until email fails to reach your customers.

How do I monitor email deliverability?

To monitor and manage email deliverability, you need a tool that constantly analyzes and reports upon:

  • SPF, DKIM and DMARC Compliance
  • Blacklisted Sending IP addresses and Domains
  • SPF, DKIM and DMARC Configuration
  • Known Senders, Forwarders and Email Threats like Fraud and Phishing
  • DMARC Forensic Information*

Only MxToolbox Delivery Center provides you with all the information you need to properly manage your email deliverability, from setting up email best practices to managing email delivery for the longterm.  Delivery Center Plus* even includes Foresnic information for detailed threat research.

MxToolbox has everything you need to improve email delivery with DMARC and only MxToolbox provides the Experts capable of managing your email delivery posture.  MxToolbox Managed Services can get you up and running quickly and manage your email delivery in the longterm.