Email Security Blog

How can I get my third-party senders DMARC Compliant?

Danielle Tristao September 4, 2014 DMARC
Fallback Featured Image

We love our third parties don’t we? They are usually responsible for sending our important customer notifications and promotions. Because their mail is so important to your business, we should do what we can to help them become DMARC compliant. It’s a win for you, it’s a win for them, and it’s a win for the users who can open their emails without worry. That’s a lot of winning happening right there.

There are a few different ways that you can approach DMARC compliance with third-party senders. It will of course depend on what capabilities your third-party sender has in implementing these suggestions:

Integrate Externally

Your third-party senders can use their own mail servers to send your email. If this is an option, you can provide them with a sub-domain so they can put their own DKIM record and SPF record in for DNS. You can also give your third-party sender a DKIM private key to sign the emails and publish the public key in your DNS and/or add their sending IP to your SPF record.

Integrate Internally

You can have your third-party sender relay your emails through your own mail servers.

Do not integrate. Request that they do not spoof

Ask your third-party senders to user their own domains in the from:header. If these emails need to have a reply, you can have them point this reply alias to you, or have the third-party sender set the reply-to: header to one of your email addresses.

To ensure you are keeping an authenticated mail stream, it is necessary for organizations like your self to work with those who send email on your behalf. Here are some steps to make that happen:

Send messages in compliance with SPF records published on the customer domain

This can be accomplished by adding an include:third party.tld in the SPF record. Some organizations may require explicit IP addresses to enter into the domain’s SPF record, that than using an include: mechanism.

Implement DKIM Signing for the domain in use

When configuring a DKIM signature, you need to ensure you are signing with at least a 1024 bit size and the signing domain (d=) must align with the domain which is used to send the communication.

In order for a message to be DMARC compliant, SPF and DKIM must be configured and at least one of the authentication methods must pass in order for the message to make it’s way through to the end user. All of these steps help ensure you have your customers and their email safety in mind. Watch your click through rates rise when your end users know they are receiving authenticated email.

Want to learn more? Get your free DMARC Guide now!

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

April 17, 2019 Fareed Bukhari

The Time is Now: Underscoring the Importance of DMARC for State and Local Governments

Scammers know that impersonating a trusted government agency is an extremely effective way to trick…

Agari Blog Image

February 26, 2019 Armen Najarian

Retail Trails Other Sectors in Adopting DMARC for Phishing Prevention

Recent research by the Agari Cyber Intelligence Division finds that the retail industry is dead…

Person Looking at DMARC Protected Email

February 19, 2019 Fareed Bukhari

DMARC Adoption Up, But 85% of Fortune 500 Remains Vulnerable to Brand Hijacking

Adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) has seen modest growth in recent…

Agari Blog Image

October 16, 2018 Fareed Bukhari

One Year Later: Federal Mandate for Email Authentication Huge Success

Responding to BOD 18-01, agencies rally to complete the fastest sector-wide adoption of DMARC One…

Agari Blog Image

October 16, 2018 Patrick Peterson

DMARC: A 12-Month Triumph for DHS—and the Nation

Today is the deadline set by the Department of Homeland Security for all executive branch…

mobile image