This playbook’s objective is to:
- Identify and fix non-compliant and unauthenticated domains.
- For an introduction to Authentication Compliance, please read:
- If you are a new Everest customer with no prior relationship with Validity, complete onboarding to ensure you are familiar with navigating and using Everest.
- If you were a Return Path or 250ok customer and are moving to Everest, complete your migration process.
- Modifying SPF, DKIM, and DMARC records may require assistance from your ESP, hosting provider or internal email administrator.
- Ensure you have completed:
- Everest Basic Setup Guide
- Everest Advanced Setup Guide 1: Supplemental Features (DMARC forwarding)
Important! A correctly configured DMARC record (utilizing SPF and DKIM authentication) and forwarding DMARC reports to Everest is required for DMARC data to populate in Everest’s Infrastructure feature.
- Common authentication challenges
- Authentication terminology
- How monitoring DMARC compliance fits into your process
- Establishing an authentication compliance baseline
- Setting up authentication compliance alerts
- How to use Everest to identify non-compliant and unauthenticated domains
- Monitoring domains and policies as you work towards full compliance
- What to do next
Common challenges associated with authentication are:
- We would like to be notified if there are any compliance changes or adjustments to our DMARC or SPF record.
- We need a way to identify non-compliant and unauthenticated domains because we want to move toward a DMARC reject policy.
Monitoring your DMARC compliance helps you:
- Gain visibility into authentication compliance for your sending infrastructure.
- Identify unauthorized abuse of your domain and brand.
- Domain alignment: Successful DMARC verification requires either the SPF (the Return-path domain) or the DKIM (d= domain) domain to pass verification and to match the From: domain of your email. When the domains match, they are "aligned".
- Compliant: Email authenticated successfully with SPF or DKIM and the domain aligns with the From: domain or was forwarded with an ARC chain present.
- Non-compliant: Email authenticated successfully on a domain for either SPF or DKIM, but the domain does not align with the From: domain.
- Unauthenticated: Email failed both SPF and DKIM authentication.
A traditional email marketing process consists of three phases: Pre-Send, In-Flight, and Monitoring. Consistently monitoring authentication compliance helps identify unauthorized use of your domain and can help troubleshoot deliverability problems.
Pre-send
- Inform your email campaign strategy with Everest’s Competitive Intelligence feature
- Plan campaign
- Select target subscriber list
- Design campaign
- Validate target subscriber list using Everest’s List Validation feature
- Test campaign design using Everest’s Design & Content feature
In-Flight
- Send campaign to subscribers and the Everest seed list
- View your campaign’s inbox placement, spam, and missing results using Everest’s Inbox Placement feature
Monitoring
- Monitor engagement metrics using Everest’s Engagement feature, your ESP, or internal sending platform.
- Monitor sending reputation metrics using Everest’s Monitoring feature to understand the impact to your deliverability.
- Monitor DMARC authentication compliance to identify unauthorized use of your domain and brand using Everest’s Infrastructure feature.
To determine if your efforts to be fully compliant are working, you need to establish baseline compliance metrics. Record the baseline metrics in a spreadsheet for future reference and compare performance to your baseline metrics monthly. Use historical data for your baseline metrics if available from your ESP or sending platform. If you do not have historical data, establish a baseline after 30-60 days of activity depending on your sending frequency.
- Navigate to Monitoring>Infrastructure and locate the DMARC Compliance tile.
- Record the percentages of Compliant, Non-compliant, and Unauthenticated email
After establishing your baseline compliance metrics, create alerts to be notified of potential compliance issues. Setting the correct alert values may require adjustments over time. Frequent alerts may be ignored and don’t provide value, so make sure you set the alert criteria appropriately for your sending practices and personal preference.
Set up two alerts for notifying you when your compliance % decreases and when there is a change to your DMARC/SPF record. These alerts are especially valuable for larger organizations with multiple domains and authentication records.
1. Login to Everest
2. Navigate to My Everest>Alerts
3. Click New Alert
4. Enter a Description: DMARC Compliance Alert
5. Select the DMARC Policies category
6. In the If my... section, select:
- Domain, Any Domain, Compliant mail, decreases by 1% from 7 day average
7. Select how you wish to be notified and enter any required information
8. Run the alert Daily (or another frequency of your choice)
9. Click Save Alert
10. Repeat steps 3-9 for:
- Description: Domain DNS record
- If my... : Any Domain, DMARC/SPF record changes
- Your domains should have been set up as monitoring profiles when you completed the Everest Basic Setup Guide. Make sure all of your domains are added to increase the alert's effectiveness and value.
Make sure all of your domains are in compliance as you work towards a fully enforced DMARC reject policy. Setting your DMARC enforcement policy to p=reject with non-compliant domains will cause legitimate email to be blocked.
Identify non-compliant and unauthenticated email
1. Login to Everest
2. Navigate to Monitoring>Infrastructure
3. Filter by domain and non-compliant mail first and complete the steps below.
4. Locate the DMARC Compliance tile and look for trends. Roll your mouse over the date for additional information.
5. Locate the DMARC Trends tile and review the results for each tab to help pinpoint the origin of any compliance or authentication issues.
- Click on the details arrow for more information
6. Click Export to view the entire report
a. Note the From Domain and IP address for each non-compliant or unauthentication issue. You can use these to help you troubleshoot.
b. Locate the SPF/Align and DKIM/Align columns and review the results
-
- SPF/DKIM column result meanings:
- pass: authentication verification was successful
- no work from you is required
- none: no SPF or DKIM record was detected
- You need to add SPF or DKIM authentication or there may be a significant configuration issue causing the record to be undetectable.
- fail: An SPF or DKIM record exists but there is a problem causing verification to fail
- Troubleshoot why there is a failure: SPF, DKIM
- Common causes for SPF failures are an incomplete record or missing an IP address/domain
- Common causes for DKIM failures include a missing public key in DNS or missing a required tag in the DKIM signature
- Troubleshoot why there is a failure: SPF, DKIM
- pass: authentication verification was successful
- Align column result meanings:
- aligned: the SPF or DKIM domain aligns with your From: domain
- no work from you is required
- n/a: when SPF or DKIM does not exist, Everest cannot check if your SPF or DKIM domains align with the From: domain
- unaligned: The SPF or DKIM domain does not align with the From: domain.
- aligned: the SPF or DKIM domain aligns with your From: domain
- SPF/DKIM column result meanings:
c. Locate the ARC (Authenticated Received Chain) column
-
- A value in the ARC column for a specific date indicates forwarding of the message occurred.
- ARC allows for conveying original authentication assessments in case of forwarding but not every mailbox provider supports it and it will not be present in every case of forwarding.
- SPF almost always fails in forwarded messages, while DKIM often does not fail. Knowing when forwarding occurs helps you determine if an actual issue exists with your authentication configuration.
- Look for patterns of failures by filtering across IPs and domains. If you see failures and unaligned domains, it could mean forwarding is involved and breaking authentication verifications or there may be a technical issue with one or more of your DKIM signing servers or missing IPs and domains in your SPF record.
- If authentication and domain alignment for a given IP or domain always passes except in cases where there is a value present in the ARC column, the mail is still considered to be compliant.
7. Locate the Authentication Issues tile and review the results for both SPF and DKIM. Roll your mouse over the date for additional information.
- Review the dates for any sending patterns and click on the details arrow for more information to pinpoint authentication issues.
- Click Export to view the entire report and use the review meanings as outlined in step 6 above.
8. Repeat steps 4-7 by filtering for unauthenticated mail
The ultimate goal for identifying and fixing non-compliant and unauthenticated mail is to move your DMARC enforcement policy to p=reject, which is covered in the advanced playbook. Monitor your domains to ensure the work you are doing is moving you to a fully compliant sending infrastructure.
The Domains & Policies feature is also good for monitoring high level compliance issues to help you identify potential threats to your brand once you move to a fully enforced DMARC p=reject policy.
1. Click on the Domains & Policies tab to monitor aggregate compliance across all domains.
- This tile helps you quickly identify compliance issues across all domains and if there are any issues with the DMARC record itself.
- Click on the details arrow for more information on your DMARC and SPF records.
1. Take concrete steps to identify and fix both non-compliant and unauthenticated mail and compare the updated compliance percentages with your baseline.
2. When all of your email is consistently compliant, proceed to the advanced playbook to update your DMARC enforcement policy to p=reject.
3. Investigate and read our other Everest playbooks to help take your email marketing program to the next level.
