Integrating DMARC with SPF

Did you know that if you add a DMARC record, you might have to update your SPF record? I attended the Online Trust Alliance (OTA) Email Authentication & DMARC Training class a few months ago and learned some great best practice recommendations. Although there has been a lot of buzz lately about DMARC, like Yahoo! mail being DMARC compliant, some of the tips below haven’t been wide spread and so I thought I would share.

As a general rule prior to DMARC, senders should authenticate their emails with an SPF record that ends with a hard fail mechanism (-all). This instructs the receivers to reject email messages that appear to be coming from the sender but fails the authentication test. As mentioned in the Don’t Receivers use SPF and DKIM results already? section and here, receivers couldn’t always use that failing mechanism and delivered the emails anyway. Thus, DMARC was born and is changing the ground rules. As recommended by the instructors, implement DMARC in the following phases:

Phase I – Monitor

Until you are a DMARC expert, start off in monitor mode. Start collecting the aggregate and forensic reports to see if anyone is spoofing or phishing your brand. Conduct an audit to ensure that all IPs, domains, and sending environments are accounted for and are properly being authenticated. In your DMARC text record, set the policy to monitor mode, or “p=none.” Your SPF failing mechanism should match, so set it to reflect a soft fail (~all).

Phase II – Quarantine

You can instruct the receivers to quarantine emails that fail the authentication tests by putting it in the spam/junk folder or quarantine it in their filters. Change the DMARC text record to policy mode to “p=quarantine.” Keep your SPF record set with the soft fail mechanism.

Phase III - Reject

Once you’re absolutely certain that you have identified all of your IPs, domains, and sending environments, you can instruct the receivers to reject the spoofed and phished emails by changing the DMARC policy to “p=reject.” Remember to update your SPF record to include a hard fail.

In case you’re wondering, it is not necessary to make any changes with your DKIM records, like setting it to test mode.

The truth is that you may never know if the receivers are actually enforcing the policies and failing mechanisms, as it is up to each of them to decide what to do with the email. Senders can quickly get inundated with the DMARC reports. Return Path’s Domain Assurance can help with both issues though data collection and reporting that can help you make sense of it. Go here for more information.

Do you have any other DMARC tips you'd like to share?  Leave them in the comments below.