I keep coming across advice on setting up SPF, DKIM, and DMARC with a policy of "p=none" initially for monitoring purposes, but I'm confused about what exactly needs to be fixed. We've implemented this, yet we're still seeing problems, particularly with some large universities forwarding emails and then messing up headers, leading to SPF and DKIM failures. I reached out to one of these universities, and they said they can't do anything about it. So, what are the common fixes that others have applied in similar situations?
5 Answers
Have you tried using a DMARC analyzer? Tools like Vailmail or MX Toolbox allow you to monitor DMARC reports. This lets you identify which emails aren’t passing DMARC and ensure they’re allowlisted in your DNS. This way, you can move towards setting your policy to reject to block potential spoofing.
It's crucial to determine if your SPF should allow universities to send emails on your behalf. If you decide to trust them, add them to your SPF record. If not, you might need to deal with various spoofers directly and give them warnings before tightening your SPF settings.
Ultimately, fixing issues involves correcting authentication errors for DKIM and SPF, particularly their alignment with your From domain. For instance, I noticed SPF failures from a specific IP. After reaching out and clearing it up with that IP's owner, we found it was legitimate traffic from a vendor. Once we authenticated it, the problem disappeared.
Usually, the fixes revolve around ensuring that all the services you use are properly listed in your SPF and DKIM records. This helps catch any shadow IT as well. Once you’ve gone through your list and made sure everything necessary is included, you can confidently switch DMARC to quarantine or reject since anything else should ideally be spam.
After setting up monitoring, you can adjust the pct value in your policy to test how strict or lenient your quarantine should be. Gradually increase the pct to find a balanced setting before moving to a p=reject policy. Just make sure to check whether your emails should pass SPF and DKIM checks appropriately.
So, it sounds like you end up with quite a list of email servers that you need to allow through your SPF record, right?