Checklist: Getting DMARC Compliant
To ensure the highest possible delivery rate of your outbound email, Domain-based Message Authentication, Reporting, and Conformance (DMARC) compliance is needed. To achieve the integral DMARC status, certain steps are required. For a breakdown of the necessary components for DMARC compliance, MxToolbox offers the following intel.
Email Delivery Record Audit
By auditing your company’s email delivery history, a thorough understanding of any deficiencies will be attained. Analyzing both SPF and DKIM delivery records will help you recognize where increased email security is needed to improve your company’s email delivery rates. This practice, paired with identifying all known third-party providers in use for your outbound email, assists in more messages being delivered as intended.
Being aware of which outbound email providers your business uses to send correspondence on your behalf also aids in securing the highest delivery rates as possible. For this best practice, identifying the effectiveness of your chosen providers and keeping a clean, limited list allows for quick access and easy maintenance.
Optimizing SPF and Adding Providers
Sender Policy Framework (SPF) is a component of DMARC compliancy and an email authentication protocol that allows a domain owner to specify which mail servers are used to send email from that specific domain. In terms of optimizing SPF and adding providers, MxToolbox recommends completing this step before your outbound email base expands, which allows you to take full advantage of its benefits early and often. If your business utilizes third parties to send email, chances are your SPF policy will suffer as more providers are added to the list. Keeping SPF intact and constant across all outbound domains is an important task that needs attention, and our MxToolbox Delivery Center tool will help manage and streamline your expanding third-thirty provider index.
SPF Authentication
SPF can be evaluated via authentication and alignment. An outbound email passes SPF authentication when delivered from an IP address published in the SPF policy for the domain found in the “mail from” envelope. Essentially, the IP address that sent the email must match an IP address published in the SPF record domain.
When a correspondence is received, the inbox will perform tests to verify the message was sent from an IP address or third-party provider you designated in your SPF record. If you have not published an SPF record for all domains/subdomains that send email on your behalf, you should do so now.
SPF Alignment
Alignment is the other SPF test that consists of inboxes checking whether the sending domain (in multiple parts of the message) matches. To achieve SPF alignment, the <From:> header visible to the email receiver must match the domain used to authenticate SPF (e.g., envelope “mail from:” domain). By default, this match looks for the primary domain to match between the two domains so messages that contain a subdomain will align. As the case with authentication, if you have not implemented SPF alignment yet, we recommend you do.
Optimizing DKIM and Adding Providers
DomainKeys Identified Mail (DKIM) is a protocol that contributes to DMARC compliancy and enables a company to take responsibility for sent messages that can be verified by mailbox providers. In other words, it allows the outbound domain to digitally sign email to provide legitimacy for the receiver. To optimize DKIM, be sure to closely follow the signature criteria and correctly implement both authentication and alignment mechanisms. The MxToolbox Delivery Center tool is an ideal way to maintain order with third-party providers, allowing you to focus on other crucial aspects of your business.
DKIM Authentication
Similar to SPF, DKIM can be evaluated in two ways: authentication and alignment. An email passes DKIM authentication when correctly signed by the d= domain in the DKIM header. Basically, a DKIM-Signature is added to the header of outbound messages by the sender, with the recipient comparing the included signature to a publicly available DKIM key for decoding. If decoded, the message is authenticated as being from the shown sender.
To ensure your company’s outbound emails are delivered as intended, correctly implementing DKIM authentication is essential. Being an important component of DMARC compliance, this mechanism provides customer confidence in your brand and helps avoid malicious attacks aimed to scam the public. With DKIM authentication in place, your business is on the right path to being DMARC compliant.
DKIM Alignment
The second kind of DKIM test is alignment. In basic terms, an alignment test verifies that the Organizational domain matches (aligns) in several areas. To achieve DKIM alignment, the <From:> header visible to the email receiver must match the aforementioned d= domain in the DKIM header. By default, this match looks for the primary domain to match between the two domains, which means messages that contain a subdomain will align.
Summation
SPF and DKIM protocols are necessary to attain DMARC compliance. Sub-components of these protocols—authentication and alignment—must pass their respective test for your outbound email setup to reach 100% DMARC compliance. Specific to your brand, confirming both SPF and DKIM function correctly helps the domain realize optimal compliance, resulting in higher email delivery rates to intended inboxes and less spoofing/phishing attacks. Let MxToolbox’s team of industry experts lead your business to peak email delivery heights.