5 steps to a DMARC reject policy

Simplify your DMARC project with the DMARC deployment workflow. Below you will see an overview of all the stages taken during the Customer Journey within DMARC Analyzer. DMARC Analyzer recognizes these stages for a DMARC deployment project. The stages are also followed when the DMARC Analyzer staff provides managed service to guide clients through a DMARC deployment project. It’s clarified what to expect during all of these stages. Every next step taken is one step closer to a 100% reject policy.

1. Onboarding

   During the ‘Onboarding’ stage your company will take the first steps to deploy the DMARC 100% reject policy. When you login to DMARC Analyzer for the first time there is no data obviously. The first step that needs to be taken is adding domains into the dashboard. This can easily be done with the icon ‘+ domains’. At this point there is no DMARC Analyzer record added to these domains.
   
   To make sure you won’t miss any reports coming in from the ISPs, we recommend to setup your record with the DMARC Analyzer setup, that can be found in the DNS records menu. Here you can create your personal DMARC record, which needs to be included in the DNS record. By default the policy of the record should always be set on ‘none’. Otherwise legit email can be delivered in the spam folder, or not even being delivered at all.
   
   We recommend you to upload all of your domains, even if you think there is no volume on it. It often happens that there is some traffic on these domains, or that these domains are being used for malicious matters.
   
   Your domains can now be separated into different groups. The groups can be divided per country, primary/secondary domains, parked/inactive domains, etc. These groups makes it easy to see the results for different groups. It’s still possible to see statistics per domain. If all domain groups are setup correctly it’s time to set up the usermanagement.
   
   All users in DMARC Analyzer can get restricted accessibility. It’s possible to show 1 certain domain group to a specific user, show them 1 domain or whatever the restriction is, it’s possible with the User Management.

2. Governance

   After you took the first steps of deploying DMARC you will be generating data. You are now entering the ‘Governance’ stage. At this point your account has been arranged and all of your domains have a DMARC record. However all domains will still be active on a ‘none’ policy. Going from a ‘none’ policy immediately to an 100% reject policy is not common and discouraged.

3. Policy Analysis

   At this point all onboarding steps has been taken. In the stage ‘Policy Analysis’ your assess risk tolerance will be reevaluated. Based on all the collected data, you need to determine which steps are needed to make progress.
   
   The most important step in this stage is to investigate all sources. Here you can determine if a source is valid or invalid for your company. Based on this criteria you now have to start with improving your SPF / DKIM alignment. This is done to prevent losing valid mails from either of these sources, which may occur if a policy update is done.
   
   Find it hard to determine which next steps needs to be taken? Please see the Managed Services page.

4. Policy Enforcement

   At this point you investigated all sources and all the domains have the best possible alignment. It’s now time to enforce your domains. At DMARC Analyzer we recommend a safe enforcement strategy. This means we prefer ‘email delivery’ over ‘domain protection’. This is done to prevent false positives during the policy deployment process.
   
   The strategy you choose is up to you and sometimes a stricter strategy is required. This when for example a big phishing campaign occurred that harms your company a lot. However this is different per customer.
   
   We recommend to update the DNS to “quarantine” with small percentages. Starting with 10% and monitor the statistics if nothing weird occurred. By repeating this process you can work to the ‘reject’ policy. At the end this will result in a policy on 100% ‘reject’.
   
   Need help to determine the right strategy? Please see the Services page.

5. Active Monitoring

   At this point you reached the 100% reject policy however you are not done yet. In the stage ‘Active Monitoring’ it’s very important to constantly monitor all data of your DMARC Analyzer account. The deployment of new software programs (for instance a new CRM program) can give deliverability issues and result in losing legit emails. Therefore it’s still necessary to consistently monitor your DMARC Analyzer account.
   
   The focus is stronger on monitoring and detecting abnormal behaviour. This goes from keeping the DNS records to doing analysis on noncompliant sources, which can be spoofing attacks.
   
   The core of this stage is to monitor the whereabouts of the email channels, providing insight in the legit and malicious email activity. On one hand, monitoring the compliance rate and the underlying sources will help to discover authentication issues, false positives and new legit email sources/vendors. On the other hand, monitoring the compliance rate and non-compliant sources will make an organisation aware of ongoing threads, spoofing and phishing attacks.