By Shehzad Mirza
First, congratulations on the implementation of DMARC for your organization. It’s one of the best steps you can take to protect your organization’s email domain and brand.
So what should you do now? Well that really depends on the policy level you have set.
Policy level None:
If you are starting off at policy level None, then there are still a few actions that need to be taken. Policy level None is meant only to monitor the impact of DMARC for the organization. This level does not benefit the organization or its partners/consumers/consumers. You need to move to the policy level set to Quarantine or Reject to have an impact.
So why have a policy level None?
Well, this is to make sure that you have set up SPF and DKIM appropriately for your email domain(s). At policy level None, it is important to review the reports received to confirm that all authorized mail systems are present in SPF, and that DKIM is being used by all email domains associated with the organization. Policy level Quarantine or Reject:
At these levels, it is still important to review the reports, in order to determine why (if any) messages may be going to spam or being dropped, but may not need to be reviewed as often as policy level None.
IT IS IMPORTANT TO REVIEW THE REPORTS GENERATED!!!
The reports will inform you of which messages passed or failed, and why. This capability can also provide more direct visibility into your infrastructure by providing insight into misconfigurations or new legitimate email based services that may be stood up for your organization without your knowledge. Some emails could be sent from third party vendor systems that finance, marketing, PR or sales staff are using to send bulk messages. These could be surveys (MailChimp, SurveyMonkey, customer relations management (e.g., Salesforce), or outsourced marketing firms.
Additionally, these reports can also be beneficial for collecting defensive threat intelligence by potentially identifying interesting spear phishing campaigns, unknown IPs trying to send email on your behalf.
Just note, reviewing reports can be very time consuming depending the size of the organization and the amount of email being sent.
Here are some free tools that can make report review easier:
XML to Human Converters (best if small number of reports are received)
Dmarcian – XML Uploader
DMARC Analysers (limited capabilities)
Postmark – https://dmarc.postmarkapp.com/
Third Party Tools
LinkedIn LaFayette – https://github.com/linkedin/lafayette/
SendGrid DMARC Parser – https://github.com/thinkingserious/sendgrid-python-dmarc-parser
Yahoo’s DMARC Report Processor – https://github.com/prbinu/dmarc-report-processor
Additional resources are available on DMARC.org’s Code and Library page
However, if you receive a large number of reports, then it may be best to connect with a DMARC vendor (Agari, Dmarcian, ProofPoint or Valimail) as they can provide a portal with an aggregate view of all the reports, and can provide guidance with record implementation and adjustment. This level of service and capability does of course come at a cost.
It is recommended to review these reports, verify which domains are authorized, and adjust the SPF recorded as needed. Do this for about 3-5 months. Once complete, change the policy to Reject (or Quarantine).
Do not stay at policy level None. If you want to help reduce spam/phishing using your organization’s email domain, then move up to policy level Reject.
If you have any questions or need additional guidance, please feel free to reach out to us at [email protected].
The author, Shehzad Mirza, is the Director of Operations (NYC Office) at the Global Cyber Alliance. You can connect with Shehzad on LinkedIn.