For many organizations, the deployment of DMARC across their domain catalog can involve many challenges. One such challenge is the identification of all third-party services, also called sources, that send email on behalf of one or more domains. Our Deployment Team recommends the important step of developing a strong process surrounding the risk assessment, procurement and management of third-party services that send emails on behalf of your domains.

DMARC Vendor-Management Process

An organization’s vendor-management process can identify DMARC maintenance issues whenever vendors are onboarded, services are terminated, or if a change in a vendor relationship causes a shift in how the vendor sends email on behalf of the organization (e.g. a vendor may have improved their ability to support DMARC). 

Integrate Business Units

The vendor-management process is not meant to live in isolation within IT and works best when it is integrated into each business unit that is involved when evaluating a third-party service. For instance, reviewing contractual wording to ensure a vendor has to be DMARC compliant if they are to be sending emails on behalf of your domains. An organization’s transparency with third-party sources is especially true when performing risk assessment for a new application or a new vendor that will have the ability to send mail on behalf of your domains. A well-defined and communicated process can provide you with a proactive way to prevent email deliverability issues before they occur. 

This process should be integrated with any existing authorized list of vendor applications. In the case of third-party email sending services, it becomes particularly important that specific information be captured surrounding their DMARC capabilities, how it was deployed, and which internal account owner/administrator is responsible. 

Involve Multiple Channels

Email is a common source of help/support inquiries, and employees within an organization may bring DMARC-related issues to the help/support desk. Individuals are unlikely to identify DMARC-related issues (nor should they be expected to). In the case of third-party vendors, you often need to involve the administrator of these services to make required changes or even contact the vendor’s support channels. This administrator often does not reside within IT and demonstrates why a vendor-management process and transparency are vital.

Align DMARC with Existing Processes

Navigating your internal processes can be challenging in ensuring the right people are involved in making this process successful. Once it is successfully baked into your existing processes, ongoing management and monitoring of your domain catalog and DMARC compliance will become a much more assured concept.

If you have any questions about deploying and maintaining DMARC or its related processes, don’t hesitate to contact us. If you haven’t begun your DMARC project, you can register here for a free 14-day trial.

Want to continue the conversation? Head over to the dmarcian Forum