Deploying DMARC can be an overwhelming and complicated process. In this article we will cover the 5 common mistakes to avoid when deploying DMARC.
1. Not setting up parked (inactive) domains
All companies implement DMARC for their active domains. However most companies also have parked (inactive) domains and do not implement DMARC for them. Not setting up DMARC for parked (or inactive) domains is a common mistake. You might not sent email with your parked domains, however someone might abuse the domain. As these domains are not active it is easy to protect these domains. Do not skip these domains in your DMARC implementation project. Click here for more information about setting up parked domains.
2. Immediately going to a full ‘Reject’ policy
We often see companies start deploying DMARC and immediately go to a full ‘Reject’ policy. Immediately going to a full ‘Reject’ policy is a common mistake because this will most likely result in a loss of legitimate email. We recommend to slowly deploy DMARC policies. Start off with monitoring your traffic and looking for deviations in the reports, such as unsigned messages or are perhaps being spoofed. When you’re comfortable with the results, change your policy to ‘Quarantine’ in small steps. Monitor the results once again, this time in both your spam catch and in the DMARC reports. When you are 100% sure that all of your messages are signed, change your policy to ‘Reject’. Make sure to monitor all reports to ensure your results are acceptable.
3. Not working on your alignment
An important aspect of DMARC is to make sure that the address in the ‘From’ header is the legitimate sender of the message. DKIM and SPF are used to verify senders. Alignment means that the ‘From’ domain matches with the sending domain. We often see companies changing their policy while DKIM and/or SPF are not fully aligned yet. This is a common mistake. Changing your policy while DKIM and/or SPF are not fully aligned will probably lead to a loss of legitimate email. Always make sure DKIM and/or SPF are fully aligned before changing your DMARC policy. Click here for more information about alignment.
4. More than 10 lookups in your SPF record
Having more then 10 lookups in your SPF record is a common mistake when deploying DMARC. SPF allows up to 10 ‘lookups’ to reduce the load on the email receivers side. When you have more than 10 lookups, the items after the 10th lookup may (/probably will) not count as valid SPF sources. If you have more than 10 lookups, you will have to reduce the number of lookups. Click here for more information about maximum lookups.
5. Not using a DKIM signature
DKIM is one of the two authentication techniques to make emails DMARC compliant. DMARC Analyzer recommends to always sign outgoing messages from your direct mail sources with a DKIM signature. Using DKIM will not only make your emails DMARC compliant, it will help with forwarding issues.”