I'm sharing a practical checklist we developed to effectively address email authentication incidents, specifically targeting problems like 550 5.7.x errors and spoofing. It includes steps to confirm that SPF records exist and note DNS lookups (keeping them under 10), ensures that DKIM selectors are published properly, and checks DMARC alignment, not just pass/fail results. It's crucial to remember that if DMARC is set to 'p=none', it's only for monitoring, not enforcement. The checklist advises reproducing the issue with sanitized Authentication-Results headers and gradually rolling out policies from 'p=none' to 'quarantine,' and finally 'reject' with a percentage ramp up. Quick checks can be done using specific dig commands. One of the most confusing areas I've noticed involves alignment failures where SPF and DKIM may pass, yet DMARC still fails the policy intent. I'm considering sharing a one-page incident worksheet version of this checklist if there's interest!
2 Answers
This checklist is awesome! I totally agree, alignment is where most people get tripped up. They often check tools like MXToolbox and see SPF and DKIM passing, but they don't look at which domain these checks are authenticating against. Just because SPF passes for a sender doesn't mean the From header is aligned, and it's the same with DKIM. One extra tip to consider: check the subdomain policy in DMARC. I've seen companies with 'p=reject' on their main domain but 'sp=none,' which leaves subdomains vulnerable to spoofing! I'd love to see that worksheet if you post it.
Great checklist! For those alignment failures you mentioned, it’s crucial to ensure that the Header.From domain matches the envelope/MAIL FROM domain for SPF alignment, and verify that the DKIM 'd=' parameter matches the Header.From domain for DKIM alignment. Often organizations have SPF and DKIM passing, but if they're signing from different domains, DMARC fails. For ongoing monitoring, I suggest setting up DMARC aggregate report monitoring. This will help catch any new issues proactively, rather than scrambling to fix them later. I’d definitely be interested in your worksheet!
Thanks for the suggestion! Alignment issues with Header.From are definitely a common pitfall. I'll make sure to include that in my worksheet.
Exactly! It's surprising how often teams validate SPF and DKIM but forget alignment checks. That mistake can lead to so many undiagnosed failures.