Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3237
Views
0
Helpful
3
Replies

DMARC, SPF, DKIM policies behaviour

Go to solution
REJR77
Level 1
Level 1

‎03-12-2021 09:25 AM

Hi,

Maybe some misunderstanding in my question even if I spent a day reading all around about DKIM, SPF and DMARC.

As a reciever, I would like to enforce DMAC.

From my understanding I should follow what the domain's owner say in the policy (none, quarantine or reject).

On the other hand my ESA has to compute DKIM verification and SPF check to make the Identifier Alignment.

 

Regarding the policies, is there a priority in the way ESA works regarding the different verdicts (SPF, DKIM DMAC)

Is it necessary to still have SPF/DKIM content filter if DMAC is on top of that?

 

If DMARC says I have to reject  and my SPF policy says to quarantine in the end what would be the applied action?

 

Thanks 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to REJR77

‎03-16-2021 08:32 AM

I think there are multiple options, at the end the DMARC validations is the most important as it combines both SPF and DKIM validations so you no longer need specific filters to do so.

 

To get started I would create a message filter and quarantine messages which fail SPF validation. A the second step I would add a filter where DKIM fails, step 3 would be a filter where DKIM can not be validated (tempfail and permfail). You will be surprised how many well know domains have DKIM issues. 

 

For each of SPF fail and DKIM fail you would need to create an exception list so that you can temporarly allow them to come, should they have a self-inflicted problem.

 

For inbound DMARC the Ironport just verifies the sending doman DMARC and redads the alignement policy from there. If strict alignment is demanded the ESA will apply strict otherwise relaxed.

 

Usually it is enough for either SPF or DKIM to be aligned correctly for a message to pass DMARC validation.

 

I hope that helps

 

 

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎03-12-2021 11:55 AM

As you said there is a lot to read about. The fastest success will be if you focus on incoming DMARC.

 

Your ESA DMARC profile lets you decide if you want to "honor" the requested DMARC action of the sending domains. The best practice says unless you have a lot of external senders , sending emails to your domain in your behalf you should enable the setting that emails failing DMARC validation (inbound) get at least sent to a quarantine for review. Once you feel good about the outcome you can then start rejecting them.

 

For you outgoing emails to be DMARC compliant you need to make sure your SPF records reflect all authorized sending systems of your domain (internal and external). Then i would high recommend to add signing keys/profiles for every authorized domain you sent from and/or host.

 

From that moment on you can set your DMARC record in DNS into monitoring stage while you analyze all your systems/senders. A good product to get started with that is dmarcian.com. Once you have identieif all your senders and a DMARC tool will help with that you can start with some DMARC policies like quarantine and slowely go up till you reach reject. For a larger company the process here might take a few months, dont give up.

 

I hope that helps

 

Marc

 

0 Helpful

Go to solution
REJR77
Level 1
Level 1
In response to marc.luescherFRE

‎03-15-2021 12:59 AM

Hi Marc,

Thanks for your message.

Regarding the policies, is there a priority in the way ESA works regarding the different verdicts (SPF, DKIM DMAC)

Is it necessary to still have SPF/DKIM content filter if DMAC is on top of that?

 

If DMARC says I have to reject and my SPF policy says to quarantine,  in the end what would be the applied action?

 

By the way does DMARC looks for a perfect Identifier Alignment. I mean do the email must satisfy SPF AND DKIM or one is enough to allow the email?

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to REJR77

‎03-16-2021 08:32 AM

I think there are multiple options, at the end the DMARC validations is the most important as it combines both SPF and DKIM validations so you no longer need specific filters to do so.

 

To get started I would create a message filter and quarantine messages which fail SPF validation. A the second step I would add a filter where DKIM fails, step 3 would be a filter where DKIM can not be validated (tempfail and permfail). You will be surprised how many well know domains have DKIM issues. 

 

For each of SPF fail and DKIM fail you would need to create an exception list so that you can temporarly allow them to come, should they have a self-inflicted problem.

 

For inbound DMARC the Ironport just verifies the sending doman DMARC and redads the alignement policy from there. If strict alignment is demanded the ESA will apply strict otherwise relaxed.

 

Usually it is enough for either SPF or DKIM to be aligned correctly for a message to pass DMARC validation.

 

I hope that helps

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents