Setting up DMARC for your Corporate Environment

Posted by Cherie Ansari on

You’ve spent so much time protecting the sending reputation of your email program, but what about your corporate environment? Doesn’t it deserve the same type of anti-fraud methods you’ve implemented for your marketing and/or transactional emails? One way you can be an anti-fraud champion is by educating your company about SPF, DKIM, and DMARC.

Setting up a DMARC record for any sending environment should follow the same basic enforcement principles – start in monitor mode, progress to quarantine mode, and graduate to reject mode to stop the fraudulent emails from reaching the inbox or bulk/spam folders. Though, you may find that you spend more time in monitor mode with your corporate environment, as there may be multiple third-party senders you’re unaware of. For example, perhaps employee benefits, retirement planning, and/or time management system are sent from several third-party MTAs that use your sending domain.  So take your time auditing your DMARC reports to ensure that you’ve properly accounted for all the authorized IPs and domains.

Although there’s no one size fits all DMARC record for corporate environments, you may find the following example helpful.

  1. Say, you are the domain owner for example.com.
  2. WageWorks is an authorized third-party sender that emails on your behalf, but from their own MTAs.
  3. You delegated authority for them to send email from wage.example.com, which will show up in their From: and Return-Path: email headers.
  4. WageWorks creates and publishes an SPF record for wage.example.com in their DNS.
  5. You update the SPF record for example.com, so that WageWorks’ IPs have been listed.
  6. You create a DKIM private/public key pair. You give WageWorks the private key and you publish the public key in the wage.example.com zone file.
  7. You are responsible for creating the DMARC record, not WageWorks because your record will cover example.com and wage.example.com when you create the DMARC record listed below. Ensure that WageWorks doesn’t create a DMARC record too, especially if it contradicts your policies.
  8. You’ll create an entry in DNS for the zone file with:

_dmarc.example.com

  1. The DMARC record will look like this:

              “v=DMARC1; p=none; rua=mailto:report@example.com”

  • Always start the DMARC record with the version (v), as it is a required tag.
  • Set the policy (p) to monitor mode (none).
  • Request for aggregate reports (rua) in the beginning, as many people often find the forensic reports (ruf) challenging to fully understand due to the magnitude of data that is included.
  • If you want WageWorks to also receive the reports, add their email address as well so that it looks like this:

“v=DMARC1; p=none; adkim=r; aspf=r; rua=mailto:report@example.com, mailto:report@wage.example.com

  • At this point, you might be wondering about domain identifier alignment, because example.com and wage.example.com aren’t exactly identical. It is actually considered to be “aligned” by default. This can get confusing, but bear with me. There are these optional DMARC tags, called aspf and adkim, that can be adjusted to force domain misalignment when undergoing the SPF and DKIM checks. If these tags are set to strict (s) mode, then the WageWorks emails would fail DMARC because example.com and wageworks.example.com would be considered misaligned. However, the default setting is relax (r), which makes it aligned. Since the aspf and adkim tags are optional in the first place and we want its default values, there’s no need for us to include it in the DMARC record.

What other situations have you encountered with your corporate environment?


Popular this Month

 Video in Email: Is It Right For Your Business? (Part 1)

Video in Email: Is It Right For Your Business? (Part 1)

Video in email is nothing new. Marketers have been using some form of video...

Read More

 [New Research] Are These Hidden Metrics Harming Your Deliverability?

[New Research] Are These Hidden Metrics Harming Your Deliverability?

Reaching the inbox is not as simple as hitting send. Once a message is...

Read More

 What Job Is Your Subscriber Hiring Your Email To Do?

What Job Is Your Subscriber Hiring Your Email To Do?

Over the last 16 years, I’ve worked as a product manager, run product...

Read More

Author Image

About Cherie Ansari

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.