Monitoring your Authentication and deliverability with DMARC

What is DMARC?

• Article at DMARCAnalyzer - https://www.dmarcanalyzer.com/dmarc

• URIports has an awesome interactive tool that walks you through the SPF, DKIM, and DMARC checks in real-time for one of your own emails

• DMARC is a way for you to discover what services (or rogue entities) are sending emails on your behalf… and then offers a way to tell recipients to reject the ones that don’t meet your SPF/DKIM criteria

Setting up DMARC

• I recommend starting with a DMARC service and putting your DMARC in '“watch” mode with p=none.

• Once you’ve monitored your email feedback for a few weeks and are satisfied that the only failures are from servers spoofing you, it’s time to upgrade your none setting to quarantine and eventually reject.

Check your DMARC record

Use one of these free tools to check on your DMARC records (you enter the domain and it gets checked):

• MxToolbox DMARC check - https://mxtoolbox.com/dmarc.aspx

• Dmarcian DMARC inspector - https://dmarcian.com/dmarc-inspector/

• Dmarc Analyzer record checker - https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/

Use one of these free tools to check the syntax of a DMARC record before you create your DNS entries.

• https://vamsoft.com/support/tools/dmarc-policy-validator

Use a DMARC Monitoring Service!

• I can’t stress this enough… if you send a lot of email, you don’t want to be reading emailed reports from your recipients telling you exactly what happened with your emails.

• Sign up for a DMARC monitoring service. They receive a copy of all the reports and put them into a nice dashboard for you.

  • Uriports - starts at $1/month to get essentially all the feedback you need to get your email authentication up and running nicely.

  • Cloudflare is currently in beta for a free (?) DMARC monitoring service

  • Postmark offers a free service consisting of a weekly email summary of your DMARC aggregate feedback results

  • Dmarc.lv offers a free option for a single domain. I’ve not tried it, but people have told me they like it

  • ValiMail offers a free monitoring service for Office 365, but it’s pretty simplistic.

  • I’ve also used DMARCAnalyzer and liked it, although their pricing is no longer transparent (and thus probably expensive)

Service-specific articles on DMARC

You will need to work with each service that sends email for you. This includes your primary (person-to-person) email provider plus additional providers you might use for marketing, sales, etc.

• DMARC for Google gSuite - https://support.google.com/a/answer/2466580

• DMARC for Office 365 - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide

• Dmarcian maintains a list of email sources and whether or not they support DKIM/SPF/DMARC here:

  • https://dmarc.io/sources/