What are best practices and costs for implementing DKIM, SPF, and DMARC?

Key findings

• Initial setup: SPF and DKIM can often be set up to 100% authentication without significant hurdles if the sending domain is correctly identified.
• DMARC reporting: A 0% DMARC authentication rate often indicates the absence of a DMARC record for the sending domain, regardless of SPF and DKIM status.
• Policy progression: It is crucial to start DMARC with a p=none policy to monitor email flows and identify all legitimate sending sources before moving to stricter policies like quarantine or reject. This phased approach helps avoid accidental blocking of legitimate emails.
• Cost variability: The cost of DMARC implementation varies significantly based on business size, complexity of email infrastructure, and the approach taken (in-house vs. third-party tools).

Key considerations

• Domain authentication: Ensure SPF, DKIM, and DMARC records are correctly placed for all domains and subdomains from which email is sent, including those used by third-party Email Service Providers (ESPs).
• Reporting analysis: While p=none is a low-risk starting point, its value is realized only through consistent review and action based on the DMARC reports. You can learn more about DMARC, SPF, and DKIM best practices in this comprehensive guide.
• Hidden sending sources: Organizations often have numerous systems and vendors sending email on their behalf that may not be immediately obvious (e.g., HR systems, invoicing software). Identifying and authenticating these sources is a significant part of the DMARC implementation challenge.
• Resource allocation: Proper DMARC implementation, especially for larger organizations, requires dedicating staff time for setup, monitoring, and ongoing maintenance. This labor cost can be substantial, whether handled in-house or outsourced.

Key opinions

• Authentication basics: Marketers frequently express confusion when first encountering DKIM, SPF, and DMARC, highlighting the need for clearer, more accessible explanations of these technical concepts.
• DMARC adoption: There's a common initial observation that while SPF and DKIM might show high authentication rates, DMARC often starts at 0% until a record is correctly published.
• Gradual implementation: The importance of starting DMARC with a p=none policy is a recurring theme, often learned through experience to avoid disrupting email flow.
• Impact of send volume: Low send volumes to specific mailbox providers, like Gmail, can sometimes lead to minimal or no DMARC data appearing in reports, even if a record is present.

Key considerations

• Collaboration with IT/NetOps: Marketers often need to work closely with their network operations or IT teams to implement and verify DNS records for SPF, DKIM, and DMARC. This is crucial for proper setup and verification.
• Understanding DMARC reports: Even with a p=none policy, understanding what the DMARC aggregate reports show and how to act on that data is a significant learning curve. This involves identifying unauthenticated email streams and bringing them into compliance. For a step-by-step guide, check out this article on setting up DKIM and improving deliverability.
• ESP configuration: If using third-party ESPs like Pardot, marketers need to ensure the ESP's sending domains are correctly configured with SPF, DKIM, and DMARC to align with their primary sending domain. Understanding how these protocols interact with ESPs is vital for deliverability.
• Avoiding unpleasant surprises: The common advice to start DMARC with p=none reflects a collective understanding that jumping directly to stricter policies without full visibility can lead to significant deliverability issues and lost emails.

Key opinions

• DMARC visibility: DMARC reporting is essential for identifying all mail streams and understanding how mail providers are authenticating emails against your domain.
• Phased DMARC deployment: Experts strongly advocate for a phased DMARC implementation, starting with p=none, to discover unknown sending sources before moving to stricter policies.
• Significant costs: Implementing DMARC correctly, even at p=none, incurs significant costs related to reporting system setup (in-house or third-party) and dedicated personnel for daily report review.
• Organizational complexity: A major challenge for medium-to-large companies is developing a comprehensive strategy for all email vendors and ensuring business units comply, especially when new, unannounced tools begin sending emails.

Key considerations

• Comprehensive mail stream identification: Before any DMARC record is published, a thorough audit should be conducted to identify all email sending sources across the organization. This proactive step helps to mitigate the risk of legitimate emails failing authentication. This is part of the key considerations for DMARC implementation.
• Avoiding pitfalls: Implementing a strict DMARC policy like p=reject without proper preparation and monitoring can lead to catastrophic email delivery failures, as exemplified by cases of banks blocking their own essential communications.
• Long-term investment: DMARC implementation is not a one-time setup but an ongoing process that demands continuous attention and resources to manage new email sources and maintain compliance. This is part of the long-term cost of authentication.
• RUA address importance: Many organizations incorrectly implement quarantine or reject policies without specifying a Reporting URI Aggregate (RUA) address, preventing them from receiving critical DMARC reports needed for analysis and adjustment.

Key findings

• DNS records: SPF, DKIM, and DMARC policies are published as DNS TXT records within the domain's DNS zone.
• Authentication chain: DMARC relies on either SPF or DKIM to pass authentication and for domain alignment to be achieved.
• Policy enforcement: The p tag in a DMARC record dictates the action mail receivers should take for emails that fail DMARC (none, quarantine, or reject).
• Reporting: The rua tag specifies an email address to receive aggregate DMARC reports, providing crucial data for monitoring and policy adjustments.

Key considerations

• Domain alignment: For DMARC to pass, the domain in the RFC5322.From header (the visible 'From' address) must align with the domain that passes SPF and/or DKIM. Understanding this alignment principle is critical.
• Subdomain policies: Documentation recommends explicit DMARC policies for subdomains, even if they inherit the organizational policy, to ensure consistent protection against spoofing. Proper subdomain DMARC placement is a best practice.
• Monitoring at p=none: RFCs suggest starting with p=none (monitoring-only) and carefully analyzing reports before enforcing stronger policies, to prevent disruptions to legitimate email flows.
• DKIM selectors: DKIM implementations often involve using selectors in the DNS record, which allow for multiple DKIM keys per domain or easier rotation of keys, as detailed in documentation like authentication best practices guides.