As more inbox providers announce testing and support for Brand Indicators for Message Identification (BIMI), every sender needs to get their ducks in a row ahead of time. BIMI will allow brands’ logos to appear in the inbox, which should be advantageous to senders and (hopefully) result in an increase in recipient engagement.
To take advantage of BIMI, you not only need a Domain-based Message Authentication, Reporting & Conformance (DMARC) record, you need to be at DMARC enforcement (quarantine or reject). That being said, you don’t want to move to DMARC enforcement until you are sure all of your valid mail is passing DMARC. That’s where DMARC monitoring comes into the equation.
What is DMARC monitoring?
DMARC monitoring is the act of reviewing DMARC reports to check for unauthorized senders that are spoofing your domain.
When you first create a DMARC record, you include an email address that will receive the DMARC reports. The reports are incredibly valuable but are not easy to interpret. The raw DMARC reports are simply XML data dumps with lines of detail about the IP addresses and authentication status of each email (example below).
Valimail, Twilio SendGrid’s partner and a leader in zero-trust email security, offers free access to their DMARC Monitor tool for every Twilio SendGrid customer. After you create an account, you can add your sending domain(s) and update your DMARC record so that the DMARC reports are sent to Valimail.
Then, instead of running through XML data dumps, you have free access to a dashboard (example below) that provides all of the necessary data you need to make informed decisions around your DMARC policy, including every third-party service that sends from your domain.
How to get started with DMARC monitoring
DMARC monitoring is crucial to the security of your email program. An added bonus is that reaching DMARC enforcement will allow you to set up BIMI once it is generally available. In this section, you’ll learn how to monitor your DMARC records with Valimail and reach DMARC at enforcement.
1. Publish your DMARC record
The first step is to create your DMARC record if you haven’t already done so.
When you create that record, include Valimail’s reporting inbox in the rua tag so that the DMARC records feed directly through to Valimail. Your DMARC record should look like this:
2. Create your DMARC monitoring account
After your DMARC record has been published to your DNS, the next step is to create your free DMARC monitoring account with Valimail. To create your account, click here.
3. Verify your sender sources
Once you have access to Valimail and you’re sending DMARC reports to Valimail, the next question is—what data should you focus on?
First and foremost, you want to make sure no one is trying to spoof your domain.
With DMARC monitoring, you’ll be able to see which sending services are being used to send mail from your domain, the volume of email sent from your domain, and whether or not that mail is passing SPF, DKIM, and DMARC.
Look through the sender sources and verify each one. If you don’t recognize a sender source, it’s possible that either someone else within your organization is sending mail using your domain or someone might be spoofing your domain… and damaging your reputation.
For more information on spoofing, phishing, and how to protect your email program, check out our guide, Uplevel Your SenderOps.
4. Reach DMARC enforcement
After you identify that all of your valid mail is passing DMARC, then you can update your DMARC record to a policy of “quarantine” or “reject,” also known as DMARC enforcement.
DMARC enforcement ensures that only authorized sending domains are able to send your mail.
In order to implement BIMI, you need to have one of those policies enabled. A policy of “none” will not allow a sender to implement BIMI.
5. Continue to monitor
Even after you move to a policy of “quarantine” or “reject,” it’s important to monitor your DMARC reports. If you experience a change in your sending services, whether from internal factors or updates from the services, you must have a system in place to monitor these changes. This can be done by monitoring the daily DMARC reports to verify the authentication status of your approved services and identify any new services that may pop up on these reports.
Once you notice a service that is failing authentication, follow the previous steps to update the service or add the appropriate SPF record and DKIM key for the authorized services. You’ll also need to remove the SPF or DKIM specifications for services that are no longer valid.
DMARC monitoring takeaways
DMARC monitoring allows you to keep tabs on who is sending email from your domain, take steps to block unwanted senders, and reach DMARC at enforcement. While not a cure-all, DMARC enforcement provides added protection to your email program and allows you to implement BIMI. A logo of your brand in the inbox may seem small but that additional image increases brand recognition and helps recipients trust your email.
Sign up for Valimail’s free DMARC Monitoring tool. Feel good knowing you are protecting your domain and taking the next steps toward implementing BIMI.
Check out the following resources to learn more about BIMI and email authentication: