I work for a small organization with about 16 employees, and we utilize Google Workspace for our email. Currently, we have DKIM set up and our SPF is configured to allow Google only. However, our DMARC policy is set to 'p=none' and simply forwards to an internal email that we rarely check. I'm looking to enhance our email security setup without getting too complicated. My ideas include:
- Adding any necessary services to our SPF and DKIM configurations (I think we might need to add Mailchimp, for example).
- Finding a service that provides meaningful insights for DMARC tracking. I'd appreciate any recommendations.
- If the insights show all legitimate emails are being correctly verified, I would like to switch our DMARC policy to 'p=quarantine' instead of 'p=none'.
- Ensuring that if we introduce any new email services in the future, we set up SPF and DKIM for those as well.
Does this approach sound reasonable? Also, I would prefer a DMARC service that's either free or low-cost. I'm currently considering Valimail for our needs.
5 Answers
Your plan looks good, and you're approaching it the right way! Just make sure to push for 'p=reject' when you're sure it's all working, otherwise you leave it too open for spoofing. We also switched to a service called Suped for monitoring, which has a free tier perfect for small businesses like yours, and the reports are user-friendly.
Consider moving your DNS to Cloudflare and using their free DMARC service. It’s a solid option and easy to set up!
We've been happy with a service called DMARC Digests! If you're thinking of switching to 'p=quarantine', I'd actually recommend going straight to 'p=reject' if you're confident everything is correctly set. This way, you're preventing spoofing effectively. By the way, what's your SPF for Google only, if you also use Mailchimp?
I'd suggest checking out Mailhardener.com. They have a free tier that covers quite a bit and can really help tighten your setup.
Remember, the 'p' setting is just a policy suggestion, and I've noticed many places don’t strictly adhere to it. You might want to create your own policy for adding new email sources to your domain. Often, it’s wise to create separate domains for mass emails to avoid deliverability issues for your corporate emails. Also, check your incoming mail for possible security improvements.
Wait, are you saying you don’t follow 'reject' tags? That's kind of risky.
Could you clarify? We're the sender in this situation.
Oh, I just realized my SPF isn't set up properly. We hardly use Mailchimp anyway, so it hasn't been an issue, but I might want to use it again.