Hey Marc, some thoughts inline:
> On Nov 4, 2015, at 06:48, Marc Luescher via dmarc-discuss > <[email protected]> wrote: > > It is my current understanding that the following order of things should be > followed : > > a) Publish a DMARC record with a domain to collect feedback > b) Deploy SPF for the mail domains > c) Deploy DKIM for the mail domains Yes, this is how I would recommend approaching things. I don't know if b) and c) necessarily have to be serial. I think you can often start with DKIM while you're still gathering data for SPF. You definitely want to drive SPF record creation based on DMARC feedback data. > d) Monitor SPF, DKIM and DMARC > e) Implement DMARC policy to quarantain and/or reject Agreed. Note that your SPF and DKIM will likely be somewhat iterative until you get your pass rates with both high enough to implement DMARC reject. Whether you start with quarantine or go directly to reject is up to you. I personally - having been in the large scale mail world for 15 years - do not like quarantine. If someone rejects a message you, as a sender, know it specifically. If a message is mistakenly quarantined you will see it in aggregate data but never know which message was sent into nirvana. If your customers are in regulated industries this can be particularly painful as a reject often triggers alternate delivery (such as via actual paper mail) so quarantine may be non-viable in those cases. > It is my plan to start doing this with 1 or maybe 2 domains to get going. Yes, this is BCP. Take one or two domains through to completion, rinse and repeat with increasingly large buckets of domains until you're done. You will also want to think about how to gate future domain acquisition/vendor onboarding. Typically this is built into the enterprise sourcing process. > My questions now : > > a) does this sound like a good plan ? Yes. > b) in regards to dmarc records you need to specify an email adress for > replies, can this always be the same e-mail for all 100's e-mail domains ? Yes. <Commercial Plug> My day job is at a company called Agari whose sole business is receiving, aggregating and analyzing DMARC feedback data. Would be happy to show you more. </Commercial Plug> > c) Did i miss something ? The only thing that jumps out at me is that you need to remember that the SPF/DKIM efforts will have one track for internally sourced email from your Ironports and other systems, and a set of parallel tracks while you discover which third parties (think newsletter/marketing senders like ET or Marketo, HR senders like taleo, transactional email like Sendgrid or Mandrill, etc) your organizations use and get SPF and DKIM up on all of them with proper alignment. This can often be the lion's share of the work. > I will be documenting this implementation and am happy to share for > interested parties as it involved Notes, Outlook, Cloud, ironports and much > more. I'm not aware of a wiki or centralized spot where this kind of knowledge is collected, but I think it would be great to find and/or create one. DMARC.org might be a good place to do it, but would have to think it through. Feel free to reach out if you have any questions on the above or if questions come up along the way. Chris _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
