What are best practices and costs for implementing DKIM, SPF, and DMARC?
Summary
What email marketers say8Marketer opinions
Email marketer from Mailjet explains that a best practice for SPF implementation is to only include the domains and IP addresses from which you actually send email. Also, ensure you only have one SPF record per domain.
Email marketer from SparkPost stresses that proper alignment between SPF and DKIM is essential for DMARC to function correctly. Your 'From' address domain must match the domain used for SPF and DKIM validation.
Marketer from Email Geeks shares that DMARC reporting allows you to identify mailstreams and where you aren't being authenticated against your domain, providing visibility to where mail providers see your mail coming from and how it's being authenticated.
Email marketer from EasyDMARC shares that DMARC implementation costs can vary widely depending on factors like the size of your organization, the complexity of your email infrastructure, and whether you choose to implement DMARC yourself or use a managed service. Costs can range from a few hundred dollars per month to several thousand.
Email marketer from StackExchange notes that DKIM provides email integrity by verifying that the content of the email hasn't been altered during transit, in addition to authenticating the sender.
Email marketer from MXToolbox explains that SPF (Sender Policy Framework) allows you to specify which mail servers are authorized to send email on behalf of your domain. This helps prevent spammers from forging your email address.
Email marketer from Validity shares that monitoring DMARC reports is crucial for identifying and addressing authentication issues. This helps ensure legitimate emails are properly authenticated and prevents malicious actors from spoofing your domain.
Email marketer from Reddit shares that when setting up DMARC, it's best to start with a policy of 'p=none' to monitor your email traffic and identify any issues before enforcing stricter policies like 'quarantine' or 'reject'.
What the experts say9Expert opinions
Expert from Email Geeks explains that before setting any DMARC record, you should do a round of "is all our mail authenticated?" then go p=none to find whatever bits you didn’t know about, then go p=quarantine pct=0 and discover the next set of mail you didn’t know about.
Expert from Email Geeks advises to start DMARC with p=none to avoid unpleasant surprises.
Expert from Email Geeks explains that not seeing a DMARC record for intouchhealth.com might explain the 0% DMARC reporting.
Expert from Email Geeks shares setting p=none has significant cost associated with either paying someone to create/maintain a reporting system or paying a 3rd party provider to manage the mail, including the ongoing cost of someone reviewing reports and acting on identified problems.
Expert from Email Geeks explains cost is relative to the size and complexity of the business; simple for an individual, potentially costly and time-consuming for a large corporation.
Expert from Email Geeks calculated it would cost around $40K to do DMARC here at WttW.
Expert from Word to the Wise emphasizes that implementing DMARC, especially moving beyond a 'p=none' policy, involves significant costs related to process development, vendor management, and ongoing monitoring. Companies should carefully consider the value of stricter DMARC policies against these costs.
Expert from Email Geeks states it is expensive to implement DMARC correctly.
Expert from Spamresource.com explains that the SPF hard fail mechanism indicates that a host is definitively not authorized to send mail for a domain and will likely be marked as spam.
What the documentation says4Technical articles
Documentation from Google explains that SPF records can prevent spammers from sending messages with forged 'From' addresses at your domain. When a receiving mail server checks that messages from your domain comply with the SPF record, messages are more likely to be correctly classified and not marked as spam.
Documentation from Cloudflare explains that a DMARC record is a TXT record in your DNS that tells receiving mail servers what to do with emails that fail SPF or DKIM checks, such as quarantining or rejecting them.
Documentation from Microsoft explains that DKIM adds an encrypted digital signature to outbound email messages. This signature allows receiving email servers to verify that the message was indeed sent by your organization and wasn't spoofed.
Documentation from DMARC.org shares that a DMARC policy enables a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message.