The Ins and Outs of DMARC MonitoringDenis O'Sullivan
As more inbox providers announce testing and support for Brand Indicators for Message Identification (BIMI), every sender needs to get their ducks in a row ahead of time. BIMI will allow brands’ logos to appear in the inbox, which should be advantageous to senders and (hopefully) result in an increase in recipient engagement.
To take advantage of BIMI, you not only need a Domain-based Message Authentication, Reporting & Conformance (DMARC) record, but you also need to be at DMARC enforcement (quarantine or reject). That said, you don’t want to move to DMARC enforcement until you’re sure all of your valid mail passes DMARC. Here’s where DMARC monitoring comes into the equation.
What is DMARC monitoring?
DMARC monitoring is the act of reviewing DMARC reports to check for unauthorized senders spoofing your domain.
When you first create a DMARC record, you include an email address that will receive the DMARC reports. The reports are incredibly valuable but aren’t easy to interpret. Notice the raw DMARC reports are simply XML data dumps with lines of detail about the IP addresses and authentication status of each email (example below).
Valimail, Twilio SendGrid’s partner and a leader in zero-trust email security, offers free access to its DMARC Monitor tool for every Twilio SendGrid customer. After you create an account, you can add your sending domain(s) and update your DMARC record so that the DMARC reports are sent to Valimail.
Then, instead of running through XML data dumps, you have free access to a dashboard (example below) that provides all the necessary data you need to make informed decisions around your DMARC policy, including every third-party service that sends from your domain.
How to get started with DMARC monitoring
DMARC monitoring is crucial to the security of your email program. An added bonus is that reaching DMARC enforcement will allow you to set up BIMI once it’s generally available. In this section, you’ll learn how to monitor your DMARC records with Valimail and reach DMARC at enforcement.
1. Publish your DMARC record
The first step is to create your DMARC record if you haven’t already done so.
When you create that record, include Valimail’s reporting inbox in the rua tag so that the DMARC records feed directly through to Valimail. Your DMARC record should look like this:
2. Create your DMARC Monitor account
After your DMARC record has been published to your domain name system (DNS), the next step is to create your free DMARC Monitor account with Valimail. To create your account, click here.
3. Verify your sender sources
Once you have access to Valimail and are sending DMARC reports to Valimail, the next question is: What data should you focus on?
First and foremost, you want to make sure no one tries to spoof your domain.
With DMARC monitoring, you’ll be able to see which sending services are being used to send mail from your domain, the volume of email sent from your domain, and whether or not that mail is passing SPF, DKIM, and DMARC.
Look through the sender sources and verify each one. If you don’t recognize a sender source, it’s possible that someone else within your organization is either sending mail using your domain or spoofing your domain—and damaging your reputation.
For more information on spoofing, phishing, and protecting your email program, check out our guide, Uplevel Your SenderOps.
4. Reach DMARC enforcement
After you identify all of your valid mail passes DMARC, then you can update your DMARC record to a policy of “quarantine” or “reject,” also known as DMARC enforcement.
DMARC enforcement ensures that only authorized sending domains can send your mail.
In order to implement BIMI, you need to have one of those policies enabled. A “none” policy won’t allow a sender to implement BIMI.
5. Continue to monitor
Even after you move to a policy of “quarantine” or “reject,” it’s important to monitor your DMARC reports. If you experience a change in your sending services, whether from internal factors or updates from the services, you must have a system in place to monitor these changes. You can do this by monitoring the daily DMARC reports to verify the authentication status of your approved services and identify any new services that may pop up on these reports.
Once you notice a service failing authentication, follow the previous steps to update the service or add the appropriate Sender Policy Framework (SPF) record and DomainKeys Identified Mail (DKIM) key for the authorized services. You’ll also need to remove the SPF or DKIM specifications for services that are no longer valid.
DMARC monitoring takeaways
DMARC monitoring allows you to keep tabs on who sends emails from your domain, take steps to block unwanted senders, and reach DMARC at enforcement. While not a cure-all, DMARC enforcement provides added protection to your email program and allows you to implement BIMI. A logo of your brand in the inbox may seem small, but that additional image increases brand recognition and helps recipients trust your email.
Sign up for Valimail’s free DMARC Monitor tool. Feel good knowing that you’re protecting your domain and taking the next steps toward implementing BIMI.
Check out the following resources to learn more about BIMI and email authentication: