Email Security Blog

Ensuring DMARC Compliance for Third-Party Senders

Fareed Bukhari September 6, 2019 DMARC

Marketo. Salesforce. Eloqua. Bamboo HR. Zendesk. It only takes a minute to realize how much organizations love third-party senders. They are typically responsible for sending our important customer notifications, marketing promotions, prospecting emails, and even employee information.

Because their mail is so important to your business, we should do what we can to help them become DMARC compliant. It’s a win for you, it’s a win for them, and it’s a win for the users who can open their emails without worry. That’s a lot of winning happening right there.

How to Integrate Third-Party Senders

There are a few different ways that you can approach DMARC compliance with third-party senders. It will, of course, depend on what capabilities your third-party sender has in implementing these suggestions:

  1. Integrate Externally
    Your third-party senders can use their own mail servers to send your email. If this is an option, you can provide them with a subdomain so they can put their own DKIM record and SPF record in for DNS. You can also give your third-party sender a DKIM private key to sign the emails and publish the public key in your DNS and/or add their sending IP to your SPF record.
  2. Integrate Intenerally
    You can have your third-party sender relay your emails through your own mail servers, which would enable their emails to use your own SPF, DKIM, and DMARC record and take the guesswork out of the process. 
  3. Do Not Integrate
    But request that they do not spoof. Ask your third-party senders to use their own domains in the from:header. If these emails need to have a reply, you can have them point this reply alias to you, or have the third-party sender set the reply-to: header to one of your email addresses.

Steps to Integrating Third-Party Senders

Working with third-party senders is oftentimes necessary and helps move the organization forward. That said, there are reasons to be cautious in making sure these senders have appropriate security measures in place, especially before they start sending email on your behalf. Here are some steps to make that happen:

  1. Send Messages in Compliance with SPF Records
    This can be accomplished by adding an include:third party.tld in the SPF record. Some organizations may require explicit IP addresses to enter into the domain’s SPF record, rather than using an include: mechanism.
  2. Implement DKIM Signing for the Domain in Use
    When configuring a DKIM signature, ensure you are signing with at least a 1024 bit size. The signing domain (d=) must align with the domain which is used to send the communication.

In order for a message to be DMARC compliant, SPF and DKIM must be configured and at least one of the authentication methods must pass in order for the message to be delivered. Each of these steps helps customers know that email safety is top of mind for your entire organization—whether the email comes from a third-party sender or not.

Want to learn more about implementing DMARC for third-party senders? Get your free Guide to Implementing DMARC Guide now!

Agari Blog Image

May 11, 2021 John Wilson

Office 365 + DMARC: Best Practices for Protecting Your Company & Customers From Phishing Attacks

Gartner includes DMARC, or known by its full name as Domain-based Message Authentication, Reporting &…

Agari Blog Image

May 5, 2021 Michael Paiko

5.8B Malicious Emails Spoofed Domains; 76% of Fortune 500 Still at Risk: DMARC Results from Agari

Global adoption of Domain-based Messaging, Reporting & Conformance (DMARC) topped 10.7 million email domains worldwide…

Agari Blog Image

April 27, 2021 Michael Paiko

What Is SPF and How Does It Work?

We're going to delve into what SPF for email is, how to implement it, the…

Agari Blog Image

April 20, 2021 Autumn Tyr-Salvia

What is DMARC? Effects on Email Spoofing & Deliverability

Wondering how DMARC affects email? Here’s a comprehensive guide explaining what DMARC is, how it…

Agari Blog Image

February 11, 2021 Crane Hassold

Cosmic Lynx Returns in 2021 with Updated Tricks

In July 2020, we published a report on a Russian-based BEC group we called Cosmic…

mobile image