Everest Authentication Compliance Playbook: Beginner

• If you are a new Everest customer with no prior relationship with Validity, complete onboarding to ensure you are familiar with navigating and using Everest.   
• If you were a Return Path or 250ok customer and are moving to Everest, complete your migration process. 
• Ensure you have completed:
  • Everest Basic Setup Guide
  • Everest Advanced Setup Guide 1: Supplemental Features (DMARC forwarding)

Important! A correctly configured DMARC record forwarding DMARC reports to Everest is required for DMARC data to populate in Everest’s Infrastructure feature. 

 

• Understanding email authentication and why it is important 
• Authentication terminology 
• Common authentication challenges 
• How monitoring DMARC compliance fits into your process 
• Important authentication metrics and where to find them in Everest 
• Setting up your DMARC record
• Viewing DMARC Compliance data in Everest 
• Setting up your DMARC Compliance Trend dashboard
• What to do next 

Authentication is the process of verifying the digital identity of a sender. In email marketing, there are three main types of authentication: 

• DomainKeys Identified Mail (DKIM) 
• Sender Policy Framework (SPF) 
• Domain-based Message Authentication, Reporting, and Conformance (DMARC) 

Why is authenticating email important? 

• It is an industry best practice used to build trust between you and a mailbox provider. 
• It helps establish, maintain, and protect your sending reputation. 
• It helps protect your brand from abuse by unauthorized senders using your domain to send spam. 
• A valid DMARC record with a 100% quarantine or reject enforcement policy allows you to set up Brand Indicators for Message Identification (BIMI) for displaying your logo at participating mailbox providers. Displaying your logo using BIMI can help improve open rates.

• Sender Policy Framework (SPF): SPF allows the owner of a domain to specify which servers they use when sending email from that domain. 
• Domainkeys Identified Mail (DKIM): DKIM allows a sender to transmit a digital signature used by mailbox providers to ensure email messages aren't altered during transit to the recipient server.
• Domain-based Message Authentication, Reporting & Conformance (DMARC): DMARC is designed to reduce email-based abuse by unauthorized senders. It leverages SPF and DKIM authentication as part of the verification process.
• Domain alignment: Successful DMARC verification requires either the SPF (the Return-path domain) or the DKIM (d= domain) domain to match the From: domain of your email. When the domains match, they are "aligned".
• Compliant: Email authenticated successfully with SPF or DKIM and the domain aligns with the From: domain or was forwarded with an Authenticated Received Chain (ARC) chain present.
• Non-compliant: Email authenticated successfully on a domain for either SPF or DKIM, but the domain does not align with the From: domain.
• Unauthenticated: Email failed both SPF and DKIM authentication. 

Common challenges associated with authentication are: 

• We don’t understand what authentication is and why we need to do it. 
• We don’t have a way to monitor DMARC compliance across all our domains. 
• We need a way to identify domain abuse by unauthorized senders to protect our brand. 

Monitoring your DMARC compliance helps you: 

• Identify unauthorized abuse of your domain and brand. 
• Gain visibility into authentication compliance for your sending infrastructure. 

A traditional email marketing process consists of three phases: Pre-Send, In-Flight, and Monitoring. Consistently monitoring authentication compliance helps identify unauthorized use of your domain and can help troubleshoot deliverability problems.

Pre-send 

• Inform your email campaign strategy with Everest’s Competitive Intelligence feature
• Plan campaign 
• Select target subscriber list  
• Design campaign 
• Validate subscriber list using Everest’s List Validation feature
• Test campaign design using Everest’s Design & Content feature

In-Flight 

• Send campaign to subscribers and the Everest seed list 
• View your campaign’s inbox placement, spam, and missing results using Everest’s Inbox Placement feature

Monitoring 

• Monitor engagement metrics using Everest’s Engagement feature, your ESP, or internal sending platform. 
• Monitor sending reputation metrics using Everest’s Monitoring feature to understand the impact to your deliverability. 
• Monitor DMARC authentication compliance to identify unauthorized use of your domain and brand using Everest’s Infrastructure feature. 

Infrastructure data is visible in Everest’s Monitoring>Infrastructure feature. These metrics help you identify DMARC compliance trends.  

• Compliant: Email authenticated successfully with SPF or DKIM and the domain aligns with the From: domain or was forwarded with an ARC chain present.
  • Domain alignment is required for successful DMARC authentication.
• Non-compliant: Email authenticated successfully on a domain for either SPF or DKIM, but the domain does not align with the From: address.
• Unauthenticated: Email failed both SPF and DKIM authentication. 

DMARC authentication and forwarding DMARC reports to Everest is required to complete the steps within the Authentication Compliance Playbook series. Talk to your ESP, internal email administrator, or hosting provider about setting up SPF, DKIM, and DMARC authentication. Your ESP or hosting provider may include setup and configuration as part of your service agreement or offer it for an additional fee.

• If you do not have DMARC set up, follow all steps below.
• If you already set up DMARC, proceed to step 2 to forward your DMARC reports to Everest.

1. Set up DMARC

• How to set up a DMARC record 
  • How to set up SPF
  • How to set up DKIM

2. During your DMARC set up, forward reports to Everest.

• How do I set up my DMARC record to send reports to Everest?
• Can I have multiple reporting addresses in my DMARC record?

Supporting resources:

• What are the different tags of a DMARC record?
• Is a Domain-based Message Authentication, Reporting, and Conformance (DMARC) record on a parent domain inherited by its sub-domains?
• How to ensure your DMARC record is not inherited by a domain's sub-domains

 Tips:

• If you use shared IPs through your ESP, SPF authentication will not work for DMARC because the SPF domain (the Return-path domain) won't align with your From: domain. Ask your ESP to set up DKIM authentication using your domain.
• Your ESP may authenticate your email with DKIM using the ESP's domain. If SPF authentication fails, then your DKIM's ESP domain will cause DMARC to fail because the domains won't align. We recommend asking your ESP to implement DKIM for your domain (a custom domain) in order to achieve domain alignment.
  • You can have two DKIM signatures in your email, it won't harm your sending reputation.
• DKIM implementation may take additional time to set up correctly if you are doing it on your own. If needed, start by setting up your SPF record and set up DMARC with the enforcement policy set to none (p=none). This allows you to forward reports to Everest and start identifying non-compliant and unauthenticated email faster.
• Authenticate with both SPF and DKIM so if one authentication method fails, you have the other one available as insurance (DMARC passes verification if SPF or DKIM passes verification with domain alignment). It is also a best practice recommended by all major mailbox providers.

Important! Be sure you are forwarding DMARC reports to Everest for the data to appear. 

 

1. Login to Everest 

2. Navigate to Monitoring>Infrastructure 

3. Locate the DMARC Compliance tile 

4. Locate your Compliance thresholds 

• Over 90% Compliant email is excellent, but you want to strive for all email to be compliant 
• 80-90% Compliant email is good but indicates some of your mail is non-compliant or unauthenticated 
• 70-80% Compliant email is average and needs your attention. 
• Under 70% Compliant email is poor and needs your immediate attention. 

Investigate all non-compliant or unauthenticated email as it may indicate an issue with your authentication configuration. If you see a large, unexpected increase in unauthenticated email, it could be due to an unauthorized sender using your domain to send spam.

 

Everest Dashboards provide a quick look into your email program's performance. Set up your DMARC Compliance Trend dashboard to identify authentication compliance patterns.

 

1. Login to Everest 

2. Navigate to My Everest>Dashboards>Custom Dashboards

3. Click Add Widget

4. Click the DMARC tile

5. Locate the DMARC Compliance Trend option and click the Select div

6. Accept the default setting and click Next

7. Click Save Widget

Your dashboard will now display the DMARC Compliance Trend widget. 

8. On the DMARC Compliance Trend widget:

• Roll your mouse over the date to see details.
• Click on the compliance options (Compliant, Non-compliant, and Unauthenticated) to exclude or include that compliance data in your trend graph.

1. Start monitoring your compliance data in Everest and proceed to the next playbook:

• Everest Authentication Compliance Playbook: Intermediate

2. Investigate and read our other Everest playbooks to help take your email marketing program to the next level.

• Everest playbooks