Common DMARC Setup Mistakes : DMARC

Not setting up parked (inactive) domains:

It's common for companies to have inactive domains that are not used for sending emails. However, these domains are still vulnerable to abuse and can be used for phishing attacks. Not setting up DMARC for parked domains is a mistake because it leaves them unprotected. It's important to set up DMARC for all domains associated with your organization to prevent unauthorized use of any domain that you own. To set up DMARC for parked domains, follow the same process as for active domains.

Immediately going to a full ‘Reject’ policy:

Deploying DMARC with a full "Reject" policy immediately can lead to a loss of legitimate emails. It's important to start with a monitoring policy and analyze the reports for any deviations or issues. Gradually, the policy can be changed to "Quarantine" after reviewing the monitoring reports. This will help to identify any legitimate emails that could be blocked by the DMARC policy. After being sure that all the legitimate emails are signed, the policy can then be changed to "Reject".

Not working on your alignment:

DMARC policy requires the alignment of DKIM and SPF authentication methods with the “From” domain. Alignment is important to ensure that the email is coming from a legitimate sender. It's a mistake to change the DMARC policy without having fully aligned DKIM and SPF first. Changing the DMARC policy without fully aligned DKIM and SPF will cause legitimate emails to be rejected or marked as spam. Therefore, it's important to have DKIM and SPF fully aligned before setting the DMARC policy.

More than 10 lookups in your SPF record:

Having more than 10 lookups in your SPF record is a common mistake when deploying DMARC. SPF allows up to 10 lookups to avoid excessive load on email receivers. However, when there are more than 10 lookups, some of the items after the 10th lookup may not be counted as valid SPF sources. This can result in the SPF record not being fully effective, and some emails may be marked as spam or rejected. Therefore, it's recommended to reduce the number of lookups in the SPF record to 10 or fewer. This is the problem that https://www.autospf.com solves.

Not using a DKIM signature:

DKIM is an important authentication technique used to make emails DMARC compliant. It's recommended to always sign outgoing messages from your direct mail sources with a DKIM signature. Signing emails with DKIM helps to ensure the authenticity of emails and avoid issues with forwarding. It's a mistake not to use DKIM as it can lead to emails being rejected or marked as spam. Implementing DKIM for outgoing emails can help to ensure successful DMARC deployment.