Sendmarc DMARC Project Process

This guide aims to give your team members an overview of our DMARC implementation process.

Sendmarc Implementation Phases:

Phase 1

Finalize DNS: First, we migrate all existing Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records to Sendmarc by making some changes to your DNS zone files. This enables us to make DNS-level changes via the Sendmarc platform going forward without needing to make further DNS changes on your public DNS zone.

Phase 2

Authorize Senders: Next, we ensure that all authorized senders are correctly configured, i.e. that the correct SPF and DKIM records are in place, and that the senders themselves are correctly signing emails. We collect data on these changes so that we have visibility of all senders and ensure that we have correctly enabled each of them.

Phase 3

p=quarantine: Once we’re happy that the above settings are correct, we set the DMARC policy to “quarantine”, which stops any email sent from unauthorized senders. Depending on the email provider, this either means that the email will be treated as spam or put into an actual quarantine. We do this so that no authorized senders are missed, and no legitimate mail fails to reach the intended inbox.

Phase 4

p=reject: Lastly, after all senders have been captured, we set the DMARC policy to “reject”, which blocks all malicious actors from impersonating your domain. 

Overview of Phase 1

In Phase 1, you must work to finalize the DNS authentication settings for your customer's domain(s). This involves migrating all existing Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records from the customer's public DNS zone files to the Sendmarc platform.

This enables the Sendmarc platform to manage the DNS records going forward without needing further changes to the public DNS.

The key steps in Phase 1 include:

  • Identifying and adding all customer domains to the Sendmarc platform.
  • Publish DMARC records.
  • Import existing SPF and DKIM entries.
  • Review DNS for missing sources (DKIM & SPF).
  • Verify changes using the Domain Score Tool and reviewing effectiveness of changes.

Phase 1 typically takes 1-5 days but may be longer depending on factors like access to public DNS, number of customer domains, and internal change approval processes.

Overview of Phase 2

Phase 2 involves analysing data and thereafter enhancing the customer's SPF authentication and DKIM signing across infrastructure.

The key steps in Phase 2 include:

  • Identifying legitimate sending systems/services/platforms and their business owners.
  • Researching capabilities/limitations of DNS authentication for each system.
  • Identifying any missing authentication components for systems/services/platforms.
  • Logging internal change control approvals for changes.
  • Updating any missing/new SPF record entries within the Sendmarc Platform.
  • Creating DKIM keys within the respective systems/services/platforms.
  • Creating DKIM Keys (CNAME/TXT records) within the Sendmarc Platform.
  • Verify changes using the Domain Score Tool and reviewing effectiveness of changes.

This phase may take 30-60 days depending on the complexity of the implementation and required change approval processes. Progress on the checklist provided is marked as "In Progress" for all listed tasks.

Overview of Phase 3

In Phase 3, the overall DMARC compliance and email deliverability for the domain(s) should be close to, if not 100%, and they are ready to start enforcing DMARC protection.

This phase involves setting the DMARC policy to "quarantine". With a policy of p=quarantine, any emails that don't comply with SPF and DKIM may be placed in a quarantine folder for further investigation before being delivered to the inbox.

The purpose of the quarantine stage is to further ensure that all legitimate sending systems, services or platforms have been correctly authorized. 

The key steps in phase 3 include:

  • Review domain data over 2 weeks to confirm compliance and deliverability.
  • Validating and updating configurations if needed.
  • Communicating the planned p=reject changes to business stakeholders and logging any internal change approvals required.

Once Phase 3 is complete, the domain's DMARC policy will be set to quarantine any unauthorized emails to further validate full compliance.

This phase typically takes 7-14 days to complete based on the complexity of the implementation and any internal change approval processes that need to be followed.

Overview of Phase 4

In Phase 4, the customer's domain(s) will have their DMARC policy set to "reject". This is the final phase of the implementation where any emails that don't align with the customer's SPF and DKIM policies will be rejected by the recipient's server.

Before implementing the DMARC reject policy, Sendmarc recommends the customer completes the following effective review:

  • Review data again for any authorized sending sources that may have been missed.
  • Ensure Sendmarc exposure reports are configured correctly.
  • Ensure Alerts are configured correctly.

NOTE: We reccomend that reporting is configured to a group or distribution list for simplified management.

This final phase typically takes 1 day to complete but ongoing management is required to ensure full compliance as any new systems, services or platforms implemented that need to be properly authorized.

Need Help?

support@sendmarc.com is standing by to assist!