DMARC Mistakes

Common mistakes to avoid when deploying DMARC

  1. Not implementing DMARC on inactive domains

Active and inactive (parked) domains are carried out by almost every organization. But some companies fail to carry out DMARC for their parked domains. Not implementing DMARC on inactive domains is a very common DMARC Deployment Mistakes among organizations. Such scenarios make the parked domains vulnerable to its misuse. It is recommended to set up DMARC on inactive domains as well.

2. Choosing a full ‘Reject’ policy

Opting for a full ‘reject’ policy immediately is another common mistake since it might lead to loss of a legitimate email. When deploying DMARC, organizations immediately opt for the full ‘reject’ policy. It is advised to organizations to deploy DMARC policies in a phased manner. You can start with monitoring traffic and deviations in the reports and then change policy to ‘quarantine’ in a strategic manner. It is important to monitor the results in your spam catch and DMARC reports after a policy change. Continue the constant monitoring until you are 100% sure of all your signed and only then it is advised to change your policy to ‘Reject’.

3. Inappropriate alignment

One of the most important aspects of DMARC is to ensure that the address added in the ‘From’ header of the message is a legitimate sender. To verify senders, DKIM and SPF are used. Alignment refers to the correct matching of the address in the ‘From’ domain with the sending domain. Another common mistake is that organizations change their policies without noticing the DKIM and/ or SPF alignment. This often leads to the loss of legitimate messages. It is advised to ensure correct alignment of DKIM and/or SPF before changing your DMARC policy.

4. Exceeding 10 lookups in SPF record

Exceeding 10 lookups limit in your SPF record is another common mistake when implementing DMARC. To reduce the load on the receiver’s email side, SPF allows up to 10 lookups. In case you exceed 10 lookups, the item(s) after the 10th lookup might not count as a valid SPF source. Hence, it is recommended to keep only 10 lookups in your SPF record. Know More

5. Disabling DKIM signature

DKIM is one of the authentication techniques to make emails DMARC compliant. DMARC analyser recommends using DKIM signature on your outgoing messages from your direct mail sources. DKIM not only makes emails DMARC compliant, but it also helps with the forwarding issues.