How should I integrate my SPF with DMARC?

As you are probably aware, configuring a DMARC record means you will most likely need to update your SPF record. Before DMARC, having these SPF rules in place didn't always mean the receiver would actually reject the message. This is where DMARC steps in to help. 

 

What should my SPF record look like when I am at a  _______ DMARC policy?

 

Monitor Policy:

Monitor is where you should be starting your DMARC journey. Monitor mode allows for Agari to receive Aggregate and Forensic DMARC reporting data (https://agari.zendesk.com/entries/25136536-What-is-the-difference-between-aggregate-and-forensic-data-). We will then be able to supply you with a plethora of reporting information in regards to your authentication methods. You can use the information reported to get a deeper insight as to who is sending on behalf of your domains and how they are treated by DMARC participating receivers (For further information on how you can use the data we provide you in the portal to configure  your DMARC, please review the following article: https://agari.zendesk.com/entries/50973667-How-can-I-use-the-data-Agari-provides-me-to-implement-DMARC-efficiently-). In monitor mode it is okay to leave your SPF at a softfail if you are currently still in progress of creating the SPF record.

 

Quarantine Policy:

Quarantine allows you to tell the DMARC participating receivers to quarantine emails that fail both SPF and DKIM authentication tests. The messages will be quarantined based on the receivers quarantine rules. This could mean they are added to a Spam/Junk folder or filtered by other means. It is okay to continue using a SPF softfail if you are still confirming the accuracy of your current SPF record. 

 

Reject Policy:

The light at the end of the tunnel. All of your hard work and investigation has lead you to the point where you are ready to implement a DMARC reject policy. When you implement a DMARC reject policy you should be instructing receivers to fail messages that do not authenticate using a hard fail mechanism (-all). A hard fail tells the receivers to reject the email message that are coming from a sender that are not listed as authorized. 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk