How to approach the initial DMARC reporting and cleanup process : DMARC

Reading a DMARC report for the first time can be a little daunting.

You have to keep the goal in mind - to align your SPF and DKIM records on a per-sender (email provider/service) basis. The rest is just manual work and research in determining the legitimacy of the unaligned sender, and then following the instructions provided by that sending service or provider in order to correctly configure your DNS records or their configuration so that they align.

There is a lot of technical legwork involved in getting this done. If you have to choose between SPF and DKIM alignment choose DKIM. Most services will provide instructions for both, however there are some services that just do not align.

A list of DMARC sending services can be found here - https://dmarc.io/sources/ along with the corresponding instructions on how to configure your DNS and their service. This is a journey, and it is not automated.

However, your reward will be better email delivery and better email security once you start enforcing your DMARC record.

You will need to have access to your DNS service provider to configure the records.

If you are the technical person who is responsible for this project here are some thoughts and considerations:

DMARC Reporting

Configure your DMARCreport.com account and publish your _dmarc record. It will take at least 24 hours to get your first reports. You are going to see a lot of information in the reports but if you remember the goal - the reports are to help you visualize the alignment of your SPF and DKIM records. It will also try to identify the sending service by their IP addresses however this is not always possible.

Tools like https://lookup.icann.org/en/lookup and https://www.whois.com/whois/ are helpful for finding out this information. It's not always perfect, but it should get you close to determining the sending source.

Audit

Create a framework to perform an audit or inventory to identify all of the services that are used to send emails on behalf of the company or the domain. The easy way is to use a spreadsheet and list all of these services. Ask the sales, marketing, HR teams, and any other departments that use third-party services to send emails.

During your audit think about things like the website contact us forms, how are they sent?

Do you use surveys, newsletters, or CRM tools?

Once you have a comprehensive list of all these services you can start.

Log into each of these services and follow this process: https://support.dmarcreport.com/support/solutions/articles/5000873939-determine-alignment-status-spf-dkim-dmarc-per-source

You will also need to check the DMARC reporting records to see your progress and discover any unknown sending services.

You will also find services like the one mentioned above in the DMARC records. You should look at the reverse DNS records and try to figure out who the provider of the email. Track down how it is sending the (contact their support if needed) and adjust accordingly.

Unknown Sources

You will discover some unknown sending sources, but unless you are actively being spoofed or impersonated our suggestion is to keep track of these, but don't spend the majority of your time tracking these down. Lock down the know records, and then you can spend time on these other sources.

Remember, you can always tighten your security by adjusting your DMARC policy and these unaligned sources can be blocked in DNS. That will going to be your last process.