This guide is intended for users interested in getting their own domains to DMARC enforcement using the Valimail Enforce platform.



TABLE OF CONTENTS


Introduction


Historically, implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) has proven to be a challenging undertaking. Fortunately, Valimail Enforce simplifies the process. This article outlines the onboarding steps to achieve success: to have all legitimate emails going out from your organization’s domain(s) properly authenticating and sending with DMARC alignment. 


This article provides step-by-step guidance on getting to DMARC enforcement including:

  • Recommended DNS record changes 
  • Configuring authorized third-party senders and internal systems 
  • Addressing problematic services
  • DKIM enablement 
  • Custom domain configuration for systems such as Google Apps/Salesforce/Zendesk
  • Setting a DMARC policy to p=quarantine or p=reject


To get started, it is important to appoint a project leader to oversee the onboarding. This person is not only responsible for supervising the technical aspects of the process, but for championing the new solution and keeping employees informed of the changes. You may have onboarding partners who will handle their assigned deliverables, but you cannot expect them to take responsibility for all requirements and timelines. Having a designated resource will increase the onboarding project’s success and help move things along.


Depending on the size and complexity of your organization, additional internal partners or project team members may come from some of the following areas:

  • Information Technology
  • Information Security
  • Networking Team
  • Messaging Team
  • Development and Operations
  • Business Operations
  • Corporate Communications Team
  • Office of Organizational Change Management


Enforce Overview 


Business email compromise (BEC) attacks exploit the fact that virtually every organization relies on email to conduct business. 


Since domain spoofing is used in so many BEC attacks, the best way to protect your organization is to secure your email domains by implementing DMARC, and thus, allowing your organization to control who is using its email domains.


Valimail Enforce makes it easier to implement DMARC by bringing all the necessary tools together in one place. DMARC aggregate reports are processed and presented in an easy to understand manner and Valimail’s world-class sender identification process ensures that nothing is overlooked.


Additionally, by hosting your DMARC, SPF, and DKIM records within Enforce, you will be able to manage your domains’ DMARC related activities from a single application, minimizing the need to perform DNS changes.


Benefits of using Valimail Enforce include:

  • Gaining visibility into email traffic through DMARC reporting
  • Identifying shadow IT
  • Blocking spoofing attempts
  • Ensuring only authorized email traffic is allowed to send as your organization’s domains



Step 1: Account setup 


Adding domains

Once an Enforce account is created, the next step is adding the domains that you wish to manage into the platform. This can be done by navigating to the “Domains” tab and then clicking the “Add a Domain” button.


add domain button



Adding users

Adding new users to your Enforce account can be done from the “Account Settings” icon which is located in the top right corner of the menu. Once in Account Settings, click on the "Users" tab and then click on the "Invite" button.


account settings icon

click on Users


click on Invite



There are two types of users:

  1. Owners - which have full access to the platform
  2. Members - which by default do not have any permissions and cannot view anything until you add them to a team. 

Members will need to be added to a team to view domain information and reports. You can create teams from the “Team” tab under “Account Settings.”  In addition to setting custom permissions for each member, you can also group users based on their role in the organization (e.g., Marketing-read only).


Accessing the support portal

Valimail also recommends that you create an account on support.valimail.com. This is our support portal, which will allow you to view the external articles linked in this guide and other useful help articles. You can also file and manage support tickets from within the portal.


Account security

The Authenticate platform supports MFA authentication and SSO authentication. MFA and SSO can be set up from the “General” section under “Account Settings.” For more information about setting up SSO, please refer to one of the following articles:

Step 2: Domain Setup


In this section, we will go through the steps required to configure your DMARC, SPF, and DKIM records. 


We will talk about two types of domains: sending and non-sending domains. By definition, a sending domain is a domain that is used in the “From:” field of an email message. A non-sending domain is a domain owned by your company but is not used to send emails. To protect your name and brand online, you can acquire domains that look similar to your primary domain, and lock them down (steps are provided in the dedicated section below) so that no one can use them to send mail. 


Overview for setting up a domain

  • Point the domain’s DMARC record to the Enforce platform
  • Prepare the domain’s SPF configuration 
  • Point the domain's SPF record to the Enforce platform 
  • Gather the DKIM keys from your DNS, and add the missing ones in the Enforce platform 
  • Point the DKIM record to the Enforce platform


Instructions for Setting up a Domain


Pointing a DMARC record to the platform

For this first step, you will need to point your DMARC record to Valimail Enforce, for us to receive DMARC reports on behalf of your domain, and to enable you to manage the DMARC record directly from Enforce.


It’s possible that you already have a DMARC TXT record in your DNS, but as explained in the article below, you will need to replace it with a NameServer record. 


Please see the following article for the instructions on how to point your DMARC record to Valimail. (note- that link is for paid Enforce customers- we have a separate article for Monitor customers here).


After the step above is completed, you are ready to manage your DMARC record from the Enforce  platform. For the steps on how to manage the DMARC record, see the following article: Managing DMARC Records in Valimail


Preparing the SPF configuration

Before pointing your domain’s SPF record to Enforce, all the services sending on behalf of your domain will need to be configured in the platform. Configuring your authorized service in advance will ensure that moving your SPF record from your current DNS host to Enforce is a seamless process.


Use our Domain Checker tool to look at the existing SPF record. Go to the domain’s Authentication Report in Enforce to see which one of those services are actively sending emails (Enforce > Domains > click ‘View’ on the right). 


view report


Here is a detailed guide on Using the Authentication Report


Once you have an idea of what services and IP addresses are authorized in your SPF record and which ones are actively sending emails, go to the domain’s Configuration page (Enforce > Domains > click on the domain name), and add those services under “Enabled Senders” and the IP addresses as “Netblocks.” 


Enabled Senders and Netblocks



Please see the section titled “Configure Authorized Services” from Step 3  Sender Configuration to see how to configure these services and sending IP addresses.


Pointing the SPF record to Enforce

Once the preparation work has been completed, the SPF record can be pointed to the platform. The Instant SPF® solution provided by Valimail is based on a part of the SPF standard called macros. 


The macros that Valimail uses are as follows: include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all


${i}: The IP address of the server that sent the email

${h}: The EHLO/HELO name of the server that sent the email

${d}: The Mail From domain


When a receiver sees these macros, they will populate these three values into the DNS query to the Valimail system. With this information, the Valimail system will be able to determine the proper SPF response that is relevant for that particular email, based on the list of services and IP addresses that you configured in Enforce. 


Read more about Valimail's SPF record here


For more information about Valimail’s Instant SPF® solution, check this article


To point the SPF record to the platform, add a TXT record into your DNS zones, using these instructions



Gathering the DKIM keys from your DNS, and adding any that are missing 

Once a domain has pointed its DKIM record to the platform, all future DNS queries for the DKIM keys owned by that domain will be redirected to Valimail Enforce. Our platform can detect any DKIM keys that are signing emails and import them, but it’s possible to have a service that rarely sends emails and in that case, we might not have the key in the platform. You will need to check in your DNS zones to see if any DKIM keys are missing from the “DKIM Keys” section at the bottom of the Authenticate configuration page. 


Follow this guide to add new DKIM keys in Enforce


Point the domain’s DKIM record to Enforce

Once all the DKIM keys have been added to the platform, you can point the DKIM record to the platform. This is done by adding the NameServer record below, into your DNS zones: 


Record Name: _domainkey.yourdomain.com.

Record Type: NS (NameServer)

Record Value: ns.vali.email.


If you need help adding a custom NS record in your DNS zones, please contact your DNS Host for assistance. 


Get your domain BIMI-Ready:

Updates to BIMI are coming. To get ahead of the curve, we recommend that you take a few steps to be BIMI-Ready. In order to be BIMI-Ready, we highly recommend pointing your domain’s BIMI record to Valimail and preparing a BIMI-approved logo. We’ve enabled Amplify for your account so you can manage your BIMI-enabled domains when you’re ready.

  1. Point BIMI to Valimail
  2. Create a BIMI-Ready Logo
  3. Upload your logo as an Asset in Amplify®
  4. Assign the asset to your domain
  5. Complete your Valimail onboarding (DMARC enforcement is required prior to BIMI being enabled)


Non-Sending Domains


All domains owned by an organization should be protected by DMARC at enforcement. Even though your organization may not be actively sending email from these domains, that does not mean that bad actors are not. A non-sending domain’s DMARC policy should be set to DMARC p=reject.


DMARC, SPF, and DKIM for the domain should be delegated to Valimail Enforce. This allows the domain to be used to send legitimate emails in the future without needing additional DNS changes. 


In the Enforce interface, the domain should be set to Blocked. This is a four-step process: 


1. Open the “Domains” page in Enforce.

2. Click on “Add a Domain” on the top right, and add the non-sending domain.


add a domain button


3. Once DMARC via NS has been pointed to Valimail for the non sending domain you wish to block, click on editing pen next to the sending status of that domain.


sending status editing pen


4. Select the "Blocked" option and save the changes by clicking on the "Change Domain Mode" button.


blocked domain mode





Step 3: Sender Configuration


One of the most important parts of implementing DMARC is determining which sending services are authorized to send on behalf of your organization.


This process is greatly streamlined by our world-class sender identification technology, which analyzes the data from DMARC aggregate reports and presents it in an easy to understand form.


By reviewing the data in the “Authentication Report” tab, you can get a clear idea of which entities are sending mail on behalf of your organization.


There are three main categories of senders:

  1. Sending services: these are all the vendors that we could recognize as sending on behalf of your organization
  2. Internal sources: these will mostly be your internal relay servers or emails that have been signed with one of the DKIM keys that you published for your domain
  3. Unidentified senders: these are mostly emails that originate from IP addresses that we do not associate with any known vendor, but may sometimes include legitimate relay servers or new vendors that have not yet been added to your list. If the latter is true, we can work with the vendor and add them to our list of recognized services.


Once you have a clear picture of who is sending mail on behalf of your domain, it is important to communicate with stakeholders and domain owners within your company to determine which sending services should be authorized.


Configuring authorized services

After a sending service has been labeled as authorized, the next step is to configure the service and make sure the email traffic originating from the service is authenticated with DMARC.  This is done by configuring SPF and/or DKIM, depending on which method is supported by the vendor.


It is important to check a vendor’s SPF/DKIM documentation before starting the setup process as there may be additional steps required such as verifying the sending email address or publishing domain verification records.


In most cases, enabling SPF for a vendor within Valimail Enforce is as easy as adding it to the “Enabled Senders” list in the Configuration page of your domain.


Please note that the vendor may perform an SPF record check to ensure that their IPs or include statement has been added to your domain’s SPF record.


In most cases, this is simply a text match check and may not be validated if their checker does not parse SPF macros that Valimail uses.


In this case, we recommend that you reach out to the vendor’s support team and ask them to bypass the SPF check.


If this is not possible, you can temporarily add their IP or include statement to your SPF record to complete the validation process.


For example, if a vendor requires that you add ‘include:spf.vendormail.com’ to your SPF record, and they cannot validate your SPF record after you have added them as an enabled sender in the Valimail platform or override the check, you must update your current SPF to match their expectation.


Initial SPF record: 

"v=spf1 include:domain.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"

SPF record that the vendor can validate:

"v=spf1 include:domain.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:spf.vendormail.com ~all"


Once the vendor validates your record, you may revert the change, except in cases where the vendor’s system might perform periodic checks of your SPF record.


Adding other sources, such as SMTP servers, can be done from the Netblocks section.


Netblocks section



If the vendor also supports DKIM, it is a best practice to set that up as well. Generating DKIM keys can either be done directly, by the sending service administrator, from the vendor’s dashboard, or by the vendor’s support team. Once they have been generated, you can add DKIM keys to the Enforce platform in the DKIM Keys section.


After the keys have been published, the keys may need to be activated or validated from the vendor’s side before they start signing the emails. It is important to associate the DKIM keys with their corresponding service to ensure proper traffic reporting in the UI.


Please note that while these steps cover the majority of email vendors, each one is different and may require different steps to be performed.


Below you can find a list of the most common email vendors and more detailed information about their SPF/DKIM setup process. If you are having trouble configuring an email vendor after working with the vendor’s support, please reach out to the Valimail support team for assistance. 

We have additional articles for other senders in our KB. Please be sure to check the section called Configuration Guides


Unauthorized services

You will likely notice unauthorized vendors sending on behalf of your organization. Most of the time, these services do not send DMARC authenticated mail and can be ignored: Once you set the DMARC policy to reject, these emails will no longer be delivered.


In rare scenarios, you may encounter an unauthorized vendor whose emails appear to be passing DMARC. This will need to be taken care of on a per case basis, but common explanations include legacy vendors whose DNS records have never been removed or recipients that whitelist their emails.


Services that do not support DMARC

You will notice that some vendors do not support DMARC authentication for the emails that they send on your organization's behalf. This may pose a challenge, because in order to successfully implement DMARC, all of your authorized vendors must send DMARC-aligned emails.


In this case, there are a few options:


  • Reach out to the vendor and ask if they are willing to update their system to be DMARC compliant 
  • Change the ‘from’ address of their emails to something else that will not spoof your domain - ex: change “from” address from “notifications@orgdomain.com” to “companynamenotifications@vendordomain.com”
  • Switching to a similar vendor that supports DMARC — please take into account that this may impose other technical changes on your organization’s side
  • Setting up a dedicated subdomain for the vendor and leaving the subdomain policy to ‘none’ - this is not recommended and should only be used as a last resort. This will be a major security flaw from a DMARC perspective and invalidates some of the benefits of implementing DMARC for your organization




Step 4:DMARC Policy Management


The end goal for implementing DMARC for a domain will always be setting the DMARC policy to p=quarantine or p=reject.


A DMARC policy of quarantine means that unauthenticated mail sent on behalf of your domain will be delivered to the recipient’s spam folder instead of the inbox.


If the DMARC policy is set to reject, unauthenticated mail will be rejected by the recipient’s email gateway and the sender may also receive a bounce back message telling them that the email was not delivered.


It is important to keep in mind that the recipient’s email gateway is the one deciding whether or not an email should be delivered or marked as spam. In some scenarios, the recipient may have a whitelisting rule in place that will override the DMARC policy of the sending domain and may deliver messages that fail DMARC. Also, in rare cases, the recipient’s email gateway may not be set up to check for DMARC results, in which case they will accept all email, even unauthenticated ones.


To determine if a domain’s DMARC policy can be switched to quarantine or reject, we must analyze the data on the “Authentication Report” page. 


Ideally, all of the authorized sending services should have a DMARC pass rate of as close to 100% as possible. This also applies to emails originating from internal sources.


Depending on the importance of specific email systems or their use case scenario, what is considered an acceptable DMARC pass rate may vary but should be  95% or greater.


Please note that for email services that send significant amounts of email, it is almost impossible to have a DMARC pass rate of 100%, because there will always be receivers that route the email in a way that breaks authentication. 


The same goes for email services that only support SPF authentication since forwarding can break SPF authentication. It is unlikely that these services will have a 100% DMARC pass rate.


When changing the DMARC policy, the following parameters are set by default:

  • Subdomain policy: Use the policy defined for the parent domain
  • pct=100: Enforcing the policy for 100% of the messages
  • DKIM Alignment mode: Relaxed
  • SPF Alignment mode: Relaxed


These values are generally recommended, but depending on your use case scenario, you can modify them by exposing the advanced options in the change policy menu.


You can find more information about SPF and DKIM alignment mode here

With this in mind, we recommend that you first switch the DMARC policy to p=quarantine and to continue monitoring the email traffic to look out for potential senders that may have been missed in the discovery process. This may be the time that any previously unidentified service owners may come forward if their email flow has been impacted.


After 2-3 weeks, if there are no reports of impact on email flow and no new service owners have come forward, you can switch the domain policy to p=reject.


Setting the policy to reject is recommended but not mandatory for your domain to be considered at DMARC enforcement. You may choose to stick with a policy of quarantine if that best suits your organization’s needs, knowing that unauthenticated emails will not be getting to recipients’ inboxes, but rather to their spam or junk mail folders. Alternatively, if your organization’s email environment is fairly simple and you are confident in the way it is set up, you can set the policy to reject and skip the quarantine phase.


Congratulations! Your organization’s email domain is now at DMARC enforcement and your onboarding project is complete!




Please check the other areas of our KB for additional docs and tips.