What are the best methods for identifying email sending vendors for DMARC enforcement?

Email marketer from Email Geeks suggests checking the logs from the change committee that owns the DNS for SPF-related information to identify vendor relationships.

Email marketer from Email Geeks states that the DMARC aggregate report lists sending IP (sample) followed by the 5322.From, the 5321.From (SPF domain), the DKIM signing domain(s) and selector(s) along with the policy decision.

Email marketer from EasyDMARC shares that maintaining a detailed inventory of all authorized sending sources (vendors, ESPs, etc.) is crucial for effective DMARC management. Regularly updating this inventory and verifying vendor authentication practices ensures accurate DMARC policies.

Email marketer from URIports explains that you should check with all departments of your company and maintain an up-to-date registry of who sends email on your behalf.

Email marketer from Email Geeks shares that when you do the kick-off meeting, one of the activities is to appoint the supplier manager for each business unit/dept. and they drive that. The reports are sure useful but this is basic project management for any rollout that needs to know suppliers.

Email marketer from Postmark explains that leveraging DMARC reporting tools to analyze sending sources helps identify unfamiliar vendors or services. By monitoring these reports, you can proactively address potential unauthorized email activity and update your DMARC policies accordingly.

Email marketer from Reddit suggests a starting point is to implement DMARC in 'p=none' mode to gather reports without affecting deliverability. Then start investigating the sending sources and identify legitimate vendors through reverse IP lookups and WHOIS data, then add them to your SPF record.

Email marketer from StackExchange explains that a good method is to find the IP netblocks that different ESP's use then put this in your configuration. A good example of this is `include:netblocks.mailgun.org`.

Email marketer from Email Geeks says that the reports tell you about what you don't know. Like the CRM weekly report or the logs the system team needs etc.

Email marketer from Cloudflare shares the tip that all email senders who send on behalf of the domain should be added to the SPF record. If they are not in the SPF record then they will fail the DMARC process.

Email marketer from ZeroBounce suggests that setting up DMARC reports and properly analyzing the reports is key to understanding who sends mail on behalf of your domain. Check the aggregate reports to identify potential threats.

Email marketer from Email Geeks explains that a significant roadblock in DMARC deployment is swapping out or working around vendors/software that won't cooperate, which can be a lengthy process.

Email marketer from Email Geeks shares that what they'd like to see is a way to delegate third-party DKIM signers to help with groups of subsidiary companies using their own domains but the mothership still wants to send on their behalf using non-DMARC compatible means.

Email marketer from Email Geeks shares that reporting used to cost money, but now with free services like Valimail, the main challenge is getting clients to make time for it.

Email marketer from Email Geeks recommends sending a sample email and you can identify any vendor's infrastructure.

Email marketer from Email Geeks says that reporting is definitely useful during the discovery phase to identify alignment issues etc. But the existing governance structures do a lot of the work.

Email marketer from Mailtrap Blog shares that regularly auditing your authorized senders by comparing your known vendor list with the IPs and domains sending mail under your name is essential for DMARC. Also to ensure you include approved 3rd party senders to avoid deliverability issues.

Expert from Word to the Wise shares the advice to never dive straight into enforcement. Starting too aggressively with DMARC before fully understanding your email ecosystem and identifying all legitimate sending sources can lead to deliverability issues. Begin in monitoring mode to gather data and identify vendors before enforcing policies.

Expert from Email Geeks notes that multiple Mailchimp accounts bring up a number of other policy issues that should be addressed when it comes to controlling messaging, anti-spam compliance etc.

Expert from Word to the Wise explains that requiring a list of IPs/domains used for sending email on your behalf should be part of any contract with a new vendor. This simplifies the process of identifying and authenticating legitimate senders for DMARC.

Expert from Email Geeks suggests identifying senders by talking to Finance and seeing who is expensing or billing for services that match the names.

Expert from Email Geeks recommends starting with the approved vendor list and asking them what the backend system is. Also, a quick SPF lookup on the domain will show the approved include ESPs.

Expert from Email Geeks shares how they gets sign off to say 'out of scope for the company AUP' and blocks them from sending.

Expert from Email Geeks recommends starting with 'none' then quarantine then reject path. Also to build a new process for getting vendors approved before bringing a vendor online.

Expert from Email Geeks shares multiple strategies for identifying vendors. First, check the IPs mail is sending from, look up the owners, and ask accounts payable who gets the bills for those vendors. Second, block unauthenticated mail and see who complains. Third, ask the sales and marketing teams which vendors they're using.

Documentation from Valimail mentions that using automated vendor discovery tools simplifies identifying all services sending email on behalf of your domain. These tools analyze DMARC reports and network data to provide a comprehensive list of vendors, streamlining DMARC compliance efforts.

Documentation from DMARC.org explains that analyzing DMARC aggregate reports is key. These reports provide insights into the sources sending email using your domain, allowing you to identify vendors and assess their compliance with authentication protocols.

Documentation from Microsoft Learn explains that using tools within Microsoft 365 to review email authentication results helps pinpoint sending sources. Analyzing authentication failures can lead to the identification of unauthorized vendors or misconfigured services.

Documentation from Google Workspace Admin Help explains that using SPF records is a method for specifying which mail servers are authorized to send email on behalf of your domain, which can help in identifying legitimate email sources and thus, vendors. This is a critical step before DMARC enforcement.

Documentation from Proofpoint shares that visibility into email channels is key to discovering sending vendors. Monitoring outbound email traffic and analyzing sender behavior patterns helps uncover both authorized and unauthorized email sources, enabling better DMARC enforcement.