DMARC monitoring is a must-have practice for brands looking to make the most of the inbox.
As more inbox providers announce testing and support for Brand Indicators for Message Identification (BIMI), every sender needs to get their ducks in a row. BIMI allows brands’ logos to appear in the inbox, which can be advantageous to senders and (hopefully) result in an increase in recipient engagement.
To take advantage of BIMI, you not only need a Domain-based Message Authentication, Reporting & Conformance (DMARC) record, but you also need to be at DMARC enforcement (quarantine or reject). That said, you don’t want to move to DMARC enforcement until you’re sure all of your valid mail passes DMARC.
Here’s where DMARC monitoring comes into the equation.
DMARC monitoring is the act of reviewing DMARC reports to check for unauthorized senders spoofing your domain.
When you first create a DMARC record, you include an email address that will receive the DMARC reports. The reports are incredibly valuable but aren’t easy to interpret. Notice the raw DMARC reports are simply XML data dumps with lines of detail about the IP addresses and authentication status of each email (example below).
Valimail, Twilio SendGrid's partner and a leader in zero-trust email security, offers free access to its DMARC Monitor tool for every Twilio SendGrid customer. After you create an account, you can add your sending domain(s) and update your DMARC record so that the DMARC reports are sent to Valimail.
Then, instead of running through XML data dumps, you have free access to a dashboard (example below) that provides all the necessary data you need to make informed decisions around your DMARC policy, including every third-party service that sends from your domain.
DMARC monitoring is crucial to the security of your email program. An added bonus is that reaching DMARC enforcement will allow you to set up BIMI once it's generally available. In this section, you'll learn how to monitor your DMARC records with Valimail and reach DMARC at enforcement.
The first step is to create your DMARC record if you haven’t already done so.
When you create that record, include Valimail’s reporting inbox in the rua tag so that the DMARC records feed directly through to Valimail. Your DMARC record should look like this:
After your DMARC record has been published to your domain name system (DNS), the next step is to create your free DMARC Monitor account with Valimail. To create your account, click here.
Once you have access to Valimail and are sending DMARC reports to Valimail, the next question is: What data should you focus on?
First and foremost, you want to make sure no one tries to spoof your domain.
With DMARC monitoring, you’ll be able to see which sending services are being used to send mail from your domain, the volume of email sent from your domain, and whether or not that mail is passing SPF, DKIM, and DMARC.
Look through the sender sources and verify each one. If you don’t recognize a sender source, it’s possible that someone else within your organization is either sending mail using your domain or spoofing your domain—and damaging your reputation.
For more information on spoofing, phishing, and protecting your email program, check out our guide, Uplevel Your SenderOps.
After you identify all of your valid mail passes DMARC, then you can update your DMARC record to a policy of “quarantine” or “reject,” also known as DMARC enforcement.
DMARC enforcement ensures that only authorized sending domains can send your mail.
In order to implement BIMI, you need to have one of those policies enabled. A "none" policy won't allow a sender to implement BIMI.
Even after you move to a policy of “quarantine” or “reject,” it’s important to monitor your DMARC reports. If you experience a change in your sending services, whether from internal factors or updates from the services, you must have a system in place to monitor these changes. You can do this by monitoring the daily DMARC reports to verify the authentication status of your approved services and identify any new services that may pop up on these reports.
Once you notice a service failing authentication, follow the previous steps to update the service or add the appropriate Sender Policy Framework (SPF) record and DomainKeys Identified Mail (DKIM) key for the authorized services. You’ll also need to remove the SPF or DKIM specifications for services that are no longer valid.
A DMARC service is a third-party service or software that helps your business implement and manage DMARC. These services offer tools and features to monitor and enforce DMARC policies, providing better control over the email authentication process and helping to prevent unauthorized use of a domain's email identity.
We partner with Valimail to provide their DMARC monitoring
to all our customers.
Here's how a DMARC service can be useful:
- Simplified Setup: DMARC services often provide user-friendly interfaces to configure DMARC policies and generate DNS records.
- Real-time Monitoring: Services can help monitor email traffic in real time and provide alerts when authentication issues are detected.
- Detailed Reporting: DMARC services generate comprehensive reports that help domain owners understand how their email domains are being used and identify potential threats.
- Expertise: Third-party DMARC services often have specialized knowledge and expertise in email authentication, helping organizations implement best practices effectively.
Implementing DMARC policies and DMARC services enhances your email security, reduces the risk of email-based attacks, and protects your brand's reputation.
DMARC monitoring allows you to keep tabs on who sends emails from your domain, take steps to block unwanted senders, and reach DMARC at enforcement. While not a cure-all, DMARC enforcement provides added protection to your email program and allows you to implement BIMI. A logo of your brand in the inbox may seem small, but that additional image increases brand recognition and helps recipients trust your email.
Sign up for Valimail’s free DMARC Monitor tool. Feel good knowing that you're protecting your domain and taking the next steps toward implementing BIMI.
Check out the following resources to learn more about BIMI and email authentication: