A great tip, for this journey, is to implement DMARC filtering on receiving, and then set it up to send you a copy of all the failure reports of email coming in. https://github.com/linkedin/lafayette/wiki/Screenshots#Lafayette_Process_within_DMARC
You will have great information on what emails, need to be integrated, way before the business units realize something is wrong ;) Make sure DMARC p=reject is a policy decided by your Executives and your Security department. It helps deflect pressure to make exceptions instead of doing the right things. PS: I have seen domains moving from p=none (and even no DMARC at all) to p=reject within a day, but they were under heavy attack with mostly transactional emails. So it is possible to do it within a week with lot of luck and pressure ;) I don't recommend it tho. On Wed, Nov 4, 2015 at 9:46 PM, Roland Turner via dmarc-discuss < [email protected]> wrote: > Hi Marc, > > > Largely echoing others: > > > > - This is not a one-week project, you'll be lucky if it's a > one-quarter project. To get to a steady state you have to (a) work with > every 3rd-party sender used by every business unit in every country in > which the companies do business, a non-zero fraction of whom won't [prefer > to] speak English and (b) establish working procedural changes > for all future uses of email worldwide that include establishing adequate > authentication as part of every 3rd-party sender engagement. > - Get expert help! There are many pitfalls, you are probably better > off learning from a consultant with relevant experience than from angry > business units whose revenues you just disrupted... > - Definitely pilot with a few domains. Also take for granted the need > to set different policies for different domains as you get authentication > coverage up to an acceptable level at different times for different > domains. > - Survey the available tools. A small investment of time now will save > you a lot of lost time and disrupted business later. Dmarcian is good. > Agari is good. I assume Return Path is good. I have probably offended > several people by forgetting about other excellent options. > - Yes, you can send feedback for many domains to a single domain, but > there is an access control protocol: the domain receiving all of the > feedback has to publish specific additional DNS records to authorise > mail-receivers/feedback-senders to send to an address in that domain > (otherwise DMARC would provide a DDoS vector). All of the > DMARC-feedback-analysis service providers provide destination addresses > with this already set up, all of the large receivers performing DMARC > processing will honour this when sending feedback. > > > Good luck! > > > - Roland > > > <https://www.trustsphere.com> Roland Turner | Labs Director > Singapore | M: +65 96700022 > [email protected] > > > > > ------------------------------ > *From:* dmarc-discuss <[email protected]> on behalf of Marc > Luescher via dmarc-discuss <[email protected]> > *Sent:* Wednesday, 4 November 2015 19:48 > *To:* [email protected] > *Subject:* [dmarc-discuss] Neebie Questions about Spoofing Prevention and > DMARC implementation > > > Hi there, > > > I am new to this mailing list but have the challenging task to implements > SPF, DKIM and DMARC on Cisco Ironports for two extremely large worldwide > companies with 100's of > e-mail domains each. To make things more challenging by end of next week > as we are under heavy spoofing attacks. > > So far we have implemented a lot of defensive mail filters on the > Ironports to validation of domain, friendly names, AV, etc and are tagging > all incoming e-mails so the end user can more > easily find them in his inbox under the following structure, witrh rules > doing the work : > > Inbox > > --Internal > TO only > CC > > --External > Primary > Trusted Partner > Social (Facebook, Linkedin etc) > Public (public mailers) > Newsletters (tagged) > Potential SPAM > > > It is my current understanding that the following order of things should > be followed : > > a) Publish a DMARC record with a domain to collect feedback > b) Deploy SPF for the mail domains > c) Deploy DKIM for the mail domains > > d) Monitor SPF, DKIM and DMARC > e) Implement DMARC policy to quarantain and/or reject > > It is my plan to start doing this with 1 or maybe 2 domains to get going. > > My questions now : > > a) does this sound like a good plan ? > b) in regards to dmarc records you need to specify an email adress for > replies, can this always be the same e-mail for all 100's e-mail domains ? > c) Did i miss something ? > > I will be documenting this implementation and am happy to share for > interested parties as it involved Notes, Outlook, Cloud, ironports and much > more. > > Thank you > > Marc > > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) >
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
