The Ins and Outs of DMARC Monitoring


As more inbox providers get testing and support for. to announce Brand Indicators for Message Identification (BIMI), every sender has to line up his ducks on time. BIMI will allow brand logos to appear in the inbox, which should be beneficial for senders and (hopefully) lead to increased recipient loyalty.

To be able to use BIMI, you not only need a domain-based Message Authentication, Reporting & Conformance (DMARC) entry, you have to be there DMARC Enforcement (quarantine or denial). That being said, you don’t want to switch to DMARC enforcement until you are sure that all of your valid emails are passing DMARC. This is where DMARC monitoring comes in.

What is DMARC Monitoring?

DMARC monitoring checks DMARC reports to look for unauthorized senders who are spoofing your domain.

The first time you create a DMARC record, provide an email address that will receive the DMARC reports. The reports are incredibly valuable, but not easy to interpret. The raw DMARC reports are simply XML data dumps with lines of detail about the IP addresses and the authentication status of each email (example below).

Valimail, the Twilio SendGrid partner and a leading provider of zero trust email security, offers free access to theirs DMARC monitor tool for every Twilio SendGrid customer. After creating an account, you can add your sending domain (s) and update your DMARC record so that the DMARC reports are sent to Valimail.

Instead of going through XML data dumps, you’ll then have free access to a dashboard (example below) that provides all of the data you need to make informed decisions about your DMARC policy, including any third-party services broadcasting from your domain .

How to start DMARC monitoring

DMARC monitoring is critical to the security of your email program. An added bonus is that once DMARC enforcement is achieved, once it’s generally available, you can set up BIMI. In this section you will learn how to monitor your DMARC records with Valimail and achieve DMARC in enforcement.

1. Publish your DMARC listing

The first step is to create your DMARC listing if you haven’t already.

When you create this record, include the report input from Valimail in the rua tag so that the DMARC records are forwarded directly to Valimail. Your DMARC listing should look like this:

2. Create your DMARC monitoring account

After your DMARC record has been published in your DNS, the next step is to create your free DMARC monitoring account with Valimail. To create your account, click here.

3. Check your sender sources

Once you have access to Valimail and send DMARC reports to Valimail, the next question is, what data should you focus on?

First and foremost, you want to make sure no one is trying to forge your domain.

With DMARC monitoring, you can see which sending services are being used to send email from your domain, how much email is being sent from your domain, and whether those emails are being forwarded SPF, DKIM and DMARC.

Take a look at the sender sources and check each one. If you can’t identify a sender source, it is possible that either someone else in your organization is sending email through your domain, or someone is spoofing your domain … call.

For more information on spoofing, phishing, and protecting your email program, see our guide. Update your SenderOps.

4. Achieve DMARC enforcement

After you’ve determined that all of your valid emails will pass DMARC, you can update your DMARC record to a “quarantine” or “deny” policy, also known as DMARC enforcement.

DMARC enforcement ensures that only authorized sending domains can send your emails.

To implement BIMI, one of these policies must be enabled. A policy of “None” does not allow a sender to implement BIMI.

5. Continue to monitor

Even after moving to a quarantine or deny policy, it is important to monitor your DMARC reports. If your sending services change, whether due to internal factors or updates to the services, you must have a system in place to monitor these changes. This can be done by monitoring the daily DMARC reports to check the authentication status of your approved services and identify any new services that appear in these reports.

If you find that a service is failing to authenticate, follow the previous steps to update the service or add the appropriate ones. SPF record and DKIM key for the authorized services. You will also need to remove the SPF or DKIM specifications for services that are no longer valid.

Findings on DMARC monitoring

With DMARC monitoring, you can keep an eye on who is sending email from your domain, take action to block unwanted senders, and achieve DMARC on enforcement. While not a panacea, DMARC enforcement provides additional protection for your email program and enables you to implement BIMI. A logo of your brand in the inbox may seem small, but this extra image will add brand awareness and help recipients trust your email.

Sign up for The free DMARC monitoring tool from Valimail. Feel good knowing that you are protecting your domain and are taking the next steps to implement BIMI.

Check out the following resources to learn more about BIMI and email authentication:

Leave A Reply

Your email address will not be published.