Playbook objective
This playbook’s objectives are to:
- Work towards fully enforced DMARC compliance
- Identify potential threats to your brand
- If you are a new Everest customer with no prior relationship with Validity, complete onboarding to ensure you are familiar with navigating and using Everest.
- If you were a Return Path or 250ok customer and are moving to Everest, complete your migration process.
- Modifying SPF, DKIM, and DMARC records may require assistance from your ESP, hosting provider or internal email administrator.
- Ensure you have completed:
- Everest Basic Setup Guide (Monitoring profiles)
- Everest Advanced Setup Guide 1: Supplemental Features (DMARC forwarding)
Important! A correctly configured DMARC record (utilizing SPF and DKIM authentication) and forwarding DMARC reports to Everest is required for DMARC data to populate in Everest’s Infrastructure feature.
- Common authentication challenges
- How monitoring DMARC compliance fits into your process
- Working towards a fully enforced DMARC record to protect your brand
- How to use Everest to identify potential threats to your brand
- What to do if a threat is identified
- What to do next
Common challenges associated with authentication are:
- We implemented DMARC with a p=none policy and need to work towards p=reject to protect our brand.
- We are unsure how to identify potential threats to our brand and what to do if we find one.
Monitoring your DMARC compliance helps you:
- Gain visibility into authentication compliance for your sending infrastructure.
- Identify unauthorized abuse of your domain and brand.
A traditional email marketing process consists of three phases: Pre-Send, In-Flight, and Monitoring. Consistently monitoring authentication compliance help identify unauthorized use of your domain and can help troubleshoot deliverability problems.
Pre-send
- Inform your email campaign strategy with Everest’s Competitive Intelligence feature
- Plan campaign
- Select target subscriber list
- Design campaign
- Validate target subscriber list using Everest’s List Validation feature
- Test campaign design using Everest’s Design & Content feature
In-Flight
- Send campaign to subscribers and the Everest seed list
- View your campaign’s inbox placement, spam, and missing results using Everest’s Inbox Placement feature
Monitoring
- Monitor engagement metrics using Everest’s Engagement feature, your ESP, or internal sending platform.
- Monitor sending reputation metrics using Everest’s Monitoring feature to understand the impact to your deliverability.
- Monitor DMARC authentication compliance to identify unauthorized use of your domain and brand using Everest’s Infrastructure feature.
Many senders set up a DMARC record but don't know how to transition to a fully enforced reject policy. Taking the final steps to block unauthorized use of your domain could lead to blocking your legitimate email if authentication is not set up properly.
DMARC verification only requires a valid, passing SPF or DKIM record and domain alignment. However, we recommend using both SPF and DKIM in your email. If one authentication method fails, then you have the other authentication method to fall back on as insurance.
Follow the steps below to transition from a p=none to p=reject DMARC enforcement policy.
1. Inventory all sending IPs and domains
- This can take time for larger organizations with multiple ESPs and sending platforms.
- You need this information to develop your rollout plan and to ensure all of domains are configured in Everest for monitoring.
2. Plan the transition
Transition tips
- For larger companies, consider starting with a single brand or domain so you are comfortable with the process and timing that works well for your business. Transitioning multiple domains at the same time is an option based on your risk tolerance and business need.
- Plan the move to p= reject before or after your busiest time of year where an authentication error has minimal impact to your revenue.
- The transition process timing will differ based on the number of domains you have, the amount of non-compliant or unauthenticated mail that needs to be fixed, and your risk tolerance.
- You need to feel confident that all your email is fully compliant and that performance levels remain as expected while you transition to a fully enforced DMARC policy.
- It's good to put timelines and benchmark dates in your plan, but be sure to have some flexibility built in to allow for monitoring results and troubleshooting potential issues.
When moving from p=none to p=quarantine and from p=quarantine to p=reject, you can configure the percentage of email to which the policy applies using the pct= tag. Be sure to build into your plan the time it takes to increase the percentages and monitor results.
For example. if p=quarantine and pct=5, then only 5% of email that fails authentication will be quarantined (placed in spam folder). Over time, you increase the pct=10, pct=50, until pct=100 where 100% of email that fails authentication is quarantined or placed in the spam folder.
The percentages you choose and the length of time to gradually increase the percentage depends on the number of non-compliance issues you encounter and your risk tolerance. Below is a guideline you can use for increasing the percentage over time. A general guideline is to allow 30-60 days (you can go faster if getting good results) to increase the percentages and give yourself time to monitor any potential impacts. Use Everest to help you feel confident that you are fully compliant and aren't seeing any impacts to performance.
- Aggressive: from pct=10 to pct=50 to pct=100
- Moderate: from pct=5 to pct=20 to pct=35 to pct=50 to pct=65 to pct=80 to pct=100
- Conservative: from pct=1 to pct=10 to pct=20 to pct=30...to pct=100
3. Ensure DMARC is set up for all domains with a p=none enforcement policy (required).
- If you find a previously unknown domain, set up DMARC authentication for the new domain with p=none and plan to move the domain to p=reject at a later time.
4. Forward your DMARC reports to Everest (required).
5. Monitor your domain compliance in Everest for 30-60 days depending on your sending frequency and look for non-compliant and unauthenticated IPs and domains.
- Do not skip this step: A fully compliant domain is vital for success.
- Review the Everest Authentication Compliance Playbook: Intermediate for additional information about identifying non-compliant IPs and domains.
- Fix any identified compliance issues.
- Issues often involve missing IPs in your SPF record, a missing or broken DKIM public key, and misaligned domains.
- Move to the next step when you are confident that all IPs are accounted for in your authentication and there are consistently no authentication or compliance errors for a given domain.
- If authentication and domain alignment for a given IP or domain always passes except in cases of forwarding, it is still considered to be compliant.
6. Based on your transition plan from step 2, change the DMARC enforcement policy to p=quarantine for your domain and monitor deliverability, engagement and compliance results.
- Be prepared to go back to p=none quickly if any issues arise. Unauthenticated and non-compliant email sent from a domain using a p=quarantine enforcement policy will be sent to the spam folder based on your defined percentage values (pct=).
- Increase the percentage values (pct=) on your DMARC record according to your plan and monitor the results closely after each incremental increase. Use the guidelines mentioned in step 2.
-
- Aggressive: from pct=10 to pct=50 to pct=100
- Moderate: from pct=5 to pct=20 to pct=35 to pct=50 to pct=65 to pct=80 to pct=100
- Conservative: from pct=1 to pct=10 to pct=20 to pct=30...to pct=100
7. When pct=100 and you feel confident that all email is compliant and there are no performance issues, set your DMARC policy to p=reject. If you do not feel confident that all email is fully compliant, continue to monitor results in Everest and fix any issues until you feel confident.
- Unauthenticated and non-compliant email sent from a domain using a p=reject enforcement policy will be blocked based on your defined percentage values (pct=).
- Review your bounce logs or ESP bounce log report for signs of blocked email.
Use the same pct= approach as you used for p=quarantine, or, use a more aggressive approach if you feel confident that all email is fully compliant and your performance results were not impacted when p=quarantine.
- Aggressive: from pct=10 to pct=50 to pct=100
- Moderate: from pct=5 to pct=20 to pct=35 to pct=50 to pct=65 to pct=80 to pct=100
- Conservative: from pct=1 to pct=10 to pct=20 to pct=30...to pct=100
Be prepared to go back to p=none or p=quarantine quickly if any issues arise and closely monitor the results.
8. Repeat steps 5-7 for all domains based on your transition plan.
9. Establish an internal process to ensure someone is responsible for ensuring all authentication protocols are updated and communicating those changes back to you.
- If a new IP or domain is added to your sending infrastructure without being accounted for, some or all of the legitimate email from that IP or domain may be blocked.
Congratulations! Now that you are fully enforcing DMARC domain protections, monitor compliance daily in Everest to identify any authentication issues and look out for suspicious mail (instructions below).
Make sure all of your domains are in compliance. Setting your DMARC enforcement policy to p=reject with non-compliant domains causes legitimate email to be blocked. Non-compliant domains can also make it more difficult to identify potential threats to your brand.
Identify Suspicious Mail
Suspicious mail tracks messages from IP addresses that are not monitored in your Reputation Monitoring Profiles. Be sure to add all IPs to a monitoring profile using the Everest Basic Setup Guide instructions.
1. Login to Everest
2. Navigate to Monitoring>Reputation
3. Locate the Suspicious Mail tile and click View Report
4. Filter by your Monitoring Profiles. If you only have one monitoring profile, the data for that profile is automatically displayed.
5. Look for trends and suspicious activity on the Suspicious Mail Trend tile and roll your mouse over the date for additional information
6. Locate the Suspicious Mail tile and scroll through the results by subject line, IP Address, From Domain, or by Profile.
- Also look for evidence of your own email showing up as suspicious as it may indicate authentication issues.
7. Click the details arrow for more information
8. Review the results on the results grid or click Export to view a CSV file.
- Are those your subject lines?
- Does your From Address and Friendly From match?
- Is that your IP address?
- Does the Country match the email's origin?
- Are SPF and DKIM passing verification?
If the answer to any of those questions is "No", the activity is considered to be suspicious and a potential threat.
9. Locate the Suspicious Mail by Country tile and review the results.
- If you have multiple offices around the world, this may help you identify authentication issues for a specific region.
- If you only have one or two offices, identifying potential threats by country can speed up the threat identification process.
- Click the details arrow for additional information.
Adding legitimate IPs to your allowist
The allowlist enables you to identify which IP addresses/DNS entries are actually legitimate sources of email. Most new Everest clients see false-positive messages flagged as suspicious until their allowlist is built up over time. Adding IP addresses to your allowlist will exclude them from being identified as Suspicious Mail.
1. Login to Everest
2. Navigate to Monitoring>Reputation
3. Locate the Suspicious Mail tile and click View Report
4. Click Manage Allowlist
5. Locate your IP address, Reverse DNS record, or Profile.
6. Click the Exclude toggle div to exclude the item from being tracked as Suspicious Mail.
7. Check and verify your Allowlist on a weekly basis to keep false-positives to a minimum.
Identifying unauthenticated threats
In the Everest Authentication Compliance Playbook: Intermediate you learned how to identify unauthenticated email to ensure all your email is authenticated with minimal errors. Because you have moved your DMARC enforcement policies to p=reject, you can now use the unauthenticated filter to identify potential threats.
If not all of your brands/domains have a p=reject enforcement policy, just navigate to Monitoring>Infrastructure and filter by your protected brands/domains and unauthenticated mail.
For protected brands/domains with DMARC p=reject policies, unauthenticated mail is suspicious and a potential threat.
When you identify a potential threat to your brand:
1. Ensure the potential threat is not associated with your business. Larger organizations may have multiple ESPs, sending platforms, and locations around the world. Someone could have started using a new IP address or domain without authenticating by accident.
2. Work with a legitimate takedown service to remove any websites, mobile apps, and social media accounts associated with the threat.
1. Use Everest daily to monitor for authentication compliance and potential threats to your brand.
2. Ensure you have an internal process in place for communicating changes to your sending infrastructure to avoid legitimate email from being blocked due to non-compliance.
3. Investigate and read our other Everest playbooks to help take your email marketing program to the next level.