DMARC Deployment Checklist
DMARC is a domain-based email control. Because email domains are a shared resource within most organizations, deploying DMARC is best done with a project management mindset, as it will require coordination and change across many departments. While there are certain technical aspects to getting DMARC in place, such as making the necessary changes in DNS, much of the work involves communication and creating strong business processes that will remain in place after getting domains to p=reject.
If you’re looking to deploy DMARC, watch the video on dmarcian’s deployment process. It’s worth your time!
Here’s a checklist you can use to help get DMARC into place:
- Create a list of your domains.
- Publish DMARC records – In this phase, all mail flows are equipped with DMARC, but in such a way as to not disrupt mail delivery. Gather all organizational domains and collect data about them using a p=none policy and aggregate reporting enabled via the rua tag in a DMARC record. These reports will provide insight to the health of your current email authentication.
- Wait at least six weeks for data to roll in to have a complete picture of the sending sources, their trends, and sending patterns. Domains that are not used for email should also be monitored using p=none, as they can still be abused. The goal is to identify and then remediate all legitimate sources and servers that send on your behalf and eventually move toward a p=reject policy. Look at your DMARC reports to figure out what you need to do next.
- Depending on who is sending your legitimate email, bring your sources of email into compliance with DMARC. An email source is a designated service provider that sends email on behalf of your domains. This ranges from your primary email infrastructure down to marketing automation, HR platforms and so on. Here are steps to take:
- Identify the stakeholder responsible for the source.
- Confirm if the source is legitimate—approved by the organization.
- If the source is not legitimate, communicate to the stakeholder that usage of the domain has not been permitted and emails will be blocked. They will need to either receive approval or find an alternative suitable to the organization.
- Communicate to the source stakeholder the actions that need to be taken.
- Identify and document the changes required to achieve DMARC compliance with the source. Information provided on dmarc.io/sources can assist you with specific configuration steps.
- Self-serve configuration: Changes are done by an administrator who is generally an employee of your organization.
- Managed configuration: The stakeholder of a source will need to submit a support request with the vendor and request DMARC configuration.
- Test the changes, and monitor data for a minimum of seven days.
- dmarcian tracks the capabilities of email sources to allow dmarcian users to quickly identify the changes that need to happen.
- DMARC uses SPF and DKIM to make email easy to identify. Here’s a short video about SPF and one for DKIM.
- As each domain becomes compliant with DMARC to your satisfaction, you can put in place controls to disallow unauthorized use of your domain.
- Continue to monitor for DMARC compliance.
- When you get a new domain, put it through these steps to maintain DMARC compliance.
Feel free to use our DMARC research and testing tools; they are available to everyone, even if you don’t have a dmarcian account.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.