This article contains information on common DMARC deployment mistakes, including securing parked domains, gradual policy implementation, ensuring DKIM/SPF alignment, managing SPF lookups, and using DKIM signatures for compliance.
1. Not setting up parked (inactive) domains
All companies implement DMARC for their active domains. However, most companies also have parked (inactive) domains and do not implement DMARC for them. Not setting up DMARC for parked (or inactive) domains is a common mistake. You might not send emails with your parked domains, however, someone might abuse the domain. As these domains are not active it is easy to protect these domains. Do not skip these domains in your DMARC implementation project. For full details on how to set up parked domains, see the Parked and inactive domain setup guide.
2. Immediately going to a full ‘Reject’ policy
We often see companies start deploying DMARC and immediately go to a full ‘Reject’ policy. Immediately going to a full ‘Reject’ policy is a common mistake because this will most likely result in a loss of legitimate emails. We recommend slowly deploying DMARC policies. Start with monitoring your traffic and looking for deviations in the reports, such as unsigned messages or are perhaps being spoofed. When you’re comfortable with the results, change your policy to ‘Quarantine’. Monitor the results once again, this time in both your spam catch and in the DMARC reports. When you are 100% sure that all of your messages are signed, change your policy to ‘Reject’. Make sure to monitor all reports to ensure your results are acceptable.
3. Not working on your alignment
An important aspect of DMARC is to make sure that the address in the ‘From’ header is the legitimate sender of the message. DKIM and SPF are used to verify senders. Alignment means that the ‘From’ domain matches with the sending domain. It is a common mistake to change a DMARC policy while DKIM and/or SPF are not fully aligned yet. Changing your policy while DKIM and/or SPF are not fully aligned will probably lead to a loss of legitimate email. Always make sure DKIM and/or SPF are fully aligned before changing your DMARC policy. For full details on alignment, see the alignment guide.
4. More than 10 lookups in your SPF record
Having more than 10 lookups in your SPF record is a common mistake when deploying DMARC. SPF allows up to 10 ‘lookups’ to reduce the load on the email receiver's side. When you have more than 10 lookups, the items after the 10th lookup may (/probably will) not count as valid SPF sources. If you have more than 10 lookups, you will have to reduce the number of lookups. For full details, see the DMARC Analyzer: SPF Delegation guide.
5. Not using a DKIM signature
DKIM is one of the two authentication techniques to make emails DMARC compliant. DMARC Analyzer recommends to always sign outgoing messages from your direct mail sources with a DKIM signature. Using DKIM will make your emails DMARC compliant and help with forwarding issues.
Comments
Please sign in to leave a comment.