Email is a vital tool for the lifeblood of business communication all around the world. It’s so critical to the everyday running of organizations big and small, that many would agree it’s just as essential a service as electricity or water.

But its importance is exactly what makes email vulnerable from a cybersecurity perspective. With 3.4 billion phishing emails sent every day, it's evident that email systems are the prime target for cybercriminals seeking access to your business. All it takes is a single employee  to fall victim to a socially engineered scam, click on an infected link, or download a malicious attachment, and your entire operation could grind to a halt.

Given how important it is for organizations to secure their email, we’ve developed this comprehensive guide to help both beginners and buyers with their email security related queries. In the following chapters, you’ll find in-depth information on:

The email landscape and the types of threats that exist 

The different types of email security protocols or how they protect organizations from attacks, such as SPF, DKIM, MTA-STS, and DMARC

What to look for in an email security provider

If you're an email security architect or an analyst looking for a more technical guide, visit our Technical Email Configuration Guide. This comprehensive handbook explores SPF, DKIM, DMARC, MTA-STS, and more, offering insights and practical tips for enhancing your email security posture. 

Red Sift's guide helps beginners and buyers with information on the email landscape, threat types, and how to stay protected.

Introduction to Red Sift's Email Security Guide

Introduction

The problem with email: It isn’t as secure as you thought 

Email security technologies come in many forms. But ultimately, all have a common set of goals: keeping the volume of spam emails down, detecting threats, and stopping them from reaching your inbox.  

More often than not, these technologies work by looking for the most common traits of a malicious email - like a blacklisted IP address or a suspicious domain - and then blocking it from reaching your inbox.  Exact domain impersonation is when an attacker uses your domain to send a fraudulent email.

All email security measures (apart from DMARC - more on that later!) are ineffective at spotting a malicious email when it appears to come from a legitimate domain.  

This is because of a flaw in Simple Mail Transfer Protocol (SMTP) - the internet standard for transmission of electronic messaging. In October 2008, the Network Working Group officially labeled it ‘inherently insecure’. They said that anyone could impersonate a domain and use it to send fraudulent emails pretending to be the domain owner. 

Anyone with a very basic knowledge of coding can learn the steps required to impersonate someone’s email identity. All it takes is a quick Google search. The result is an email that looks legitimate and doesn’t have the typical indicators of a phishing attack, such as a suspicious email address. A recipient email server will then allow this email into an individual’s inbox (if the right security measures are not in place). It’s then hard for them to see that the email is, in fact, a phishing attack using a spoofed domain. 

A spoofed domain is a deceptive website or email address created to resemble a legitimate domain. There are various types of spoofing techniques, such as:

Exact domain impersonation - when an attacker spoofs your exact domain only. For example, yourcompany.com

Lookalike domain - when an attacker registers a domain that is so similar to the original domain, it makes it difficult to spot. This is also referred to as typosquatting. For example,  yourc0mpany.com

Subdomain spoofing - when an attacker creates a legitimate-looking subdomain page where they might set up a malicious form that harvests credentials. For example, login.yourcompany.com 

Email phishing is when an attacker or ‘bad actor’ sends fraudulent emails pretending to be from a reputable organization, with the purpose of getting the recipient to reveal sensitive information like bank details or personal data. Sometimes, phishing emails are sent with the intention of deploying malicious software to the victim’s infrastructure. 

According to APWG’s Q4 2023 Phishing Activity Trends Report, 2023 was a record year for phishing attacks. In total, there were almost five million phishing attacks in 2023, the worst year for phishing on record and eclipsing the 4.7 million attacks seen in 2022.

A traditional phishing attack usually involves one fraudulent email being sent to multiple recipients. However, phishing attacks are becoming increasingly personalized thanks to the rise in social engineering, the practice of using psychological tactics to get victims to divulge sensitive information. There’s much more information readily available online, and attackers can use this to craft more specific and targeted attacks. 

While some phishing attacks focus on the consumer, bad actors know that there is much more to be gained by targeting an organization. Business Email Compromise (BEC) is an umbrella term that describes phishing attacks that target an organization by impersonating its domain. The attacker relies heavily on Social Engineering and crafts a phishing email designed to look like one from someone inside the business  (usually the CEO). The main aim of this type of attack is to steal money or sensitive data.

According to Verizon’s 2023 Data Breach Investigations Report, BEC attacks (a type of Social Engineering attack) remain remarkably efficient and lucrative for cybercriminals, as indicated by the nearly twofold increase in Verizon's incident 2023 dataset. Currently, BEC attacks constitute more than 50% of all Social Engineering incidents.

The types of attacks that come under the umbrella term Business Email Compromise include: 

Ransomware is malicious software that encrypts files or locks down computer systems, demanding payment (a ransom) for their release.

When the attacker poses as the CEO or another senior executive and targets employees. 

When the attacker tries to trick the recipient into paying an invoice or multiple invoices. 

An attack targeting those with access to Personally Identifiable Information (PII), such as HR managers.

Account compromise refers to unauthorized access to a user's account by a third party, often resulting in the theft of sensitive information or misuse of the account for malicious purposes.

Phishing attacks have varying levels of sophistication

It’s not surprising that many users are deceived by phishing emails. When done well, they can be almost impossible to spot. Organizations that experience phishing attacks haven’t necessarily done anything wrong, and the attacker doesn’t even need access to their systems to carry one out. But regardless, many governments and regulators consider organizations to have a responsibility to safeguard their customers against phishing attacks. So organizations that haven’t taken appropriate measures to safeguard their customers may be liable for a data breach - and penalties. 

In the last decade, a series of email protocols have been introduced by industry leaders to try and improve email security, but email impersonation bypasses many of these. 

Dive into the next chapter to gain a quick understanding of these protocols and what they protect against. 

In October 2008, email was officially labeled as ‘inherently insecure’. It was said that anyone could impersonate a domain and use it to send fraudulent emails pretending to be the domain owner. 

SPF was developed to help fight sender address forgery by comparing the sending server’s IP address to a list of authorized senders.

Your SPF record - outlining all senders (IP addresses) authorized to send emails on your behalf - is stored in your Domain Name System (DNS) as a TXT (text) record. When an email is sent using your domain, the receiving mail server/DNS checks this record to see if one of the IP addresses matches. If it does, then the receiving sender knows it’s from a legitimate source, and the email is authorized to land in the recipient's inbox.

An SPF lookup is when the DNS receiving your email has to ‘look up’ the IP addresses present in any of the include statements within your record, to check if they match with the IP sending your email. 

An SPF include is a feature within SPF records that allows domain owners to include the SPF records of other domains in their own SPF policy. This enables streamlined management and ensures that the included domains' email sending policies are considered when determining the legitimacy of emails sent from the including domain.

The SPF lookup limit is the number of times a recipient DNS can carry out a lookup for a domain with a maximum cap set at 10.

You can add unlimited singular IP addresses to your record without incurring additional DNS lookups, as they are directly visible in the record.

But this isn’t the case for include statements, and the number of IP addresses an include has equals the number of lookups the receiving DNS has to carry out. This contributes to your maximum total of 10. 

So for example, you might have 3 IP addresses listed in your SPF record as they are, an include statement for Google (which contains 4 IP addresses) and an include statement for Mimecast (which contains 6). The receiving DNS doesn’t need to carry out lookups for the visible IPs, but it does for the Google and Mimecast include statements. So in this case, you’ve reached your total of 10.

In reality, 10 lookups aren’t enough, because most businesses use a number of tools that send emails on their behalf. These will all have their own include statements, which will include IP addresses, and so will require lookups. If you go over the limit, then you’ll likely fail authentication and your deliverability will suffer.

One of the main reasons the SPF record might be failing for your email traffic is the “too many DNS lookups” error. The SPF specification limits the number of DNS lookups to 10. If your SPF record results in more than 10 DNS lookups then SPF will fail. The SPF mechanisms counted towards DNS lookups are: a, ptr, mx, include, redirect and exists. “ip4”, “ip6” and “all” do not count towards the lookup limit.

If that all sounds a bit too technical, think about it this way. G Suite alone takes up 4 DNS lookups, add in Hubspot for marketing which uses 7 lookups then you’ll already be over the 10 lookup limit! As soon as you go over 10 SPF lookups, your email traffic will begin to randomly fail validation.

What is DomainKeys Identified Mail (DKIM)?

DKIM stands for DomainKeys Identified Mail, which is an email authentication protocol designed to prevent message modification in transit, a method often used in phishing and email scams.

DKIM is a more recent standard and more complex than SPF. Its functionality is based on using asymmetric cryptography in the signature parts of the email. There is a private key stored on the server that sent the email, a place where it could never be read by the end-user, and a public key which is published in the DNS record of the sender’s domain and is used to decrypt email signatures.

In other words, when an email is composed, its headers and body are signed using the private key of the sender to create a digital signature, which is also sent as a header field along with the email. On the receiver’s side (if DKIM is enabled), the server retrieves the public key and verifies if the email was indeed signed by the sending domain. If the signature is successfully validated, that proves that the sending domain sent the message and also that the headers and body of the message have not been modified or tampered with during transmission.

Yes, DKIM is an essential security protocol that enhances your outbound email protection and is an essential part of the DMARC verification process. 

A DKIM signature is the private key attached to an email that confirms it’s come from you. 

In this chapter, we discuss Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) and explain how they protect you from email-based threats.

Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)

SPF and DKIM

Mail Transfer Agent Strict Transport Security (MTA-STS) is a standard that enables the encryption of messages being sent between two mail servers. It specifies to sending servers that emails can only be sent over a Transport Layer Security (TLS) encrypted connection which prevents emails from being intercepted by cybercriminals.

The Simple Mail Transfer Protocol (SMTP) alone does not provide security, making it vulnerable to malicious attacks such as man-in-the-middle attacks. A man-in-the-middle attack is where communication between two servers is intercepted and possibly changed without detection by the recipient.

In addition, encryption is optional in SMTP, which means that emails can be sent in plaintext. If a plaintext email was intercepted in transit, it could easily be read and manipulated. Without MTA-STS, an attacker can intercept the communication and force the sending service to send the message in plain text. 

By enabling MTA-STS, a TLS connection is required which ensures encryption and keeps your emails private. The MTA-STS standard is so critical to improving the security of SMTP that it has widespread support among major mail service providers such as Google and Microsoft.

For more technical details, visit the MTA-STS and TLS chapter in our Technical Configuration Guide.

MTA-STS is a standard that ensures messages are encrypted during transfer between mail servers, protecting emails from interception by cybercriminals.

What is MTA-STS?

MTA-STS

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It’s an outbound email security protocol that allows domain owners to take back control of their email identity by telling receiving inboxes to reject spoof emails.

DMARC stops bad actors from pretending to be you and sending phishing emails to your employees, customers, and supply chain. This authentication of an email’s origin with DMARC also greatly improves deliverability. 

The more companies and institutions enforce a DMARC policy of p=reject for their outbound email, the safer the email ecosystem becomes overall. This is because attackers and bad actors will have fewer domains to ride on the back of to carry out attacks. So as a result, more sensitive information is protected, industry requirements are met, more money is saved and fewer attacks are successful.

What type of threats does DMARC protect against?

DMARC is an outbound security protocol, meaning it simultaneously protects recipients and your brand reputation from being exploited. It’s important to remember that bad actors who use your domain to trick people into opening emails aren’t doing so by chance, they’re piggybacking off the weight of your brand reputation and relying on it to encourage email opens. 

DMARC stops this exact domain impersonation, by telling recipient servers not to accept any emails which aren’t authenticated to have come from you. So, bad actors cannot use your domain to send phishing emails and carry out Business Email Compromise (BEC).

What are the business benefits of implementing DMARC?

Aside from providing a strong email security posture, DMARC can offer some real business benefits too. Below are some of the key advantages of implementing DMARC.

DMARC provides reports showing most, if not all, emails that come from your organization’s domain. This contrasts with traditional cybersecurity solutions which only pick up inbound phishing emails. Without DMARC, organizations are not getting a complete picture of the number and scale of attacks against them.  

Protect your reputation and shut down brand abuse

Phishing attacks that use exact impersonation can cause considerable reputational damage. Phishing scams attract negative press, with liability often attributed to the organization that has been impersonated. 

Paying fake invoices or completing wire transfers from emails impersonating a business’ CEO is common. 

Get your registered logo on your emails 

BIMI (Brand Indicators for Message Identification) is a standard that enables your registered logo to be visible in the avatar slot of any DMARC authenticated emails you send, by using Verified Mark Certificates. BIMI increases your brand impressions, and research has found it has a significant positive impact on consumer trust, interaction, and purchasing decisions. Being DMARC compliant means you’re eligible to take advantage of this brand-enhancing reward.  

When DMARC is set up correctly at a policy of p=reject, senders signal to ISPs that they are actively taking measures to authenticate their emails and improve their domain security. This builds trust with ISPs, reducing the likelihood of legitimate emails being mistakenly marked as spam or phishing attempts.

Organizations that fail to take the necessary precautions to prevent email spoofing are likely to be considered less trustworthy. Customers may not trust emails that supposedly come from these organizations and could be deterred from using email to communicate with them, which can impact on those organizations’ ability to communicate effectively with their customers. By implementing DMARC, you’re putting a robust measure that confirms your organization’s identity in place 

Shadow IT refers to legacy systems or technology set up by various departments in a business to plug a gap in existing infrastructure, and it’s not always easy to identify or remove. DMARC gives you the visibility necessary to identify and resolve any outlying software or systems, meaning nothing will accidentally be sent out by these legacy systems. Implementing DMARC uncovers all the email services sending emails from your domain, whether you officially know about them or not.

How DMARC supports compliance and regulation efforts

DMARC helps organizations comply with email security recommendations made by global government bodies such as NIST, NCSC, and the European Commission.

The EU's revised Directive on Security of Network and Information Systems (NIS2 Directive) has dramatically increased the regulatory pressure on organizations to take proactive action against phishing through a DMARC policy of "reject.”

The NIS2 Directive is an EU regulation that establishes a high common level of cybersecurity across the EU. For 'Essential and Important Entities,' compliance with this directive is mandatory.

Although the text of the NIS2 Directive does not explicitly mention DMARC or a "reject" policy, several of its requirements are related to the principles that DMARC upholds, and the absence of a DMARC policy of "reject" could be considered to weaken compliance with as many as five of direct NIS2 requirements or principles. 

Security by Design and by Default: The NIS2 Directive requires ‘providers of public electronic communications networks or of publicly available electronic communications services’ to implement security by design and by default. As a global and well-accepted internet standard for the prevention of email domain impersonation, a DMARC policy of “reject” forms an important part of a security by design and by default strategy. 

Risk Management Measures: The NIS2 Directive requires 'Essential and Important Entities' to take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems. A DMARC "reject" policy aligns with this requirement as it is a key measure to manage the risk of email phishing and spoofing attacks, which can lead to the risks outlined in this document.

Supply Chain Security: The NIS2 Directive requires entities to ensure the security of their network and information systems, including those of their supply chain. A DMARC "reject" policy can help by ensuring that only authorized third-party vendors can send emails on behalf of the entity, which can help prevent phishing attacks that originate from compromised vendors as well as protect the third-party vendors themselves from becoming victims of attacks that impersonate an organization.

Incident Reporting: Entities must report incidents having a significant impact on the continuity of essential services. While DMARC itself is not a reporting mechanism for security incidents, the detailed aggregate and forensics reports it generates can help organizations identify and respond to security incidents related to email spoofing.

Resilience: Entities are required to take measures to ensure the resilience of their systems and networks. A DMARC "reject" policy contributes to this by protecting the organization's email communication system, a critical part of its network, from being misused by unauthorized senders.

The Digital Operational Resilience Act (DORA) is a regulatory framework by the European Union aimed at ensuring the digital operational resilience of the financial sector. It seeks to establish a stringent, harmonized set of rules for digital operational resilience, including areas such as ICT risk management, incident reporting, digital operational resilience testing, and more. 

Even if an organization is not classified as a financial institution, DORA defines criticality thresholds for services provided to financial institutions. If an organization is a direct service provider to a financial institution and its services meet these thresholds, then the company is subject to DORA. Furthermore, it is likely that under DORA, these financial institutions push more stringent security controls onto their providers, including DMARC with a policy of “reject”.

While DORA does not go into specific technical detail, it does press three relevant aspects for DMARC at a policy of “reject”:

​​ICT Risk Management: One of DORA's key aspects is to ensure effective ICT risk management. Implementing a DMARC "reject" policy directly contributes to this by preventing phishing attacks, email spoofing, and other email-based threats. This enhances the security of the ICT ecosystem, aligning with DORA's objectives.

Third-Party Risk: One of DORA's key aspects is to ensure effective ICT risk management. Implementing a DMARC "reject" policy directly contributes to this by preventing phishing attacks, email spoofing, and other email-based threats. This enhances the security of the ICT ecosystem, aligning with DORA's objectives.

Operational Resilience: DORA places a strong emphasis on the operational resilience of financial services providers. A DMARC "reject" policy can help enhance operational resilience by ensuring the integrity and authenticity of email communications, reducing the risk of disruptive incidents caused by phishing or other email-based attacks.

General Data Protection Regulation (GDPR) came into force in May 2018, requiring you to have Data Processing Agreements (DPAs) with every cloud service provider that handles EU consumer data on your behalf. With DMARC, if a cloud service provider does send emails using your company’s domain name in the ‘From’ field, then DMARC will reveal them to you. While a DMARC "reject" policy is not explicitly required by GDPR.

DMARC has been widely adopted by most email receivers (including Google, Yahoo, and Microsoft), which means that most consumer inboxes are already protected. 

In addition, since February 2024, Google and Yahoo have introduced new email requirements for bulk senders (those who send more than 5,000 emails a day). These requirements stipulate that you:

Send from a domain with a DMARC policy of at least p=none 

Set up one-click unsubscribe for recipients of promotional mail

Those who fail to meet these requirements will see Google and Yahoo limiting sending rates or marking legitimate messages as spam. To find out more, visit our informational Google and Yahoo page.

DMARC works using the existing security protocols SPF and DKIM. Your SPF record is a whitelist of IP addresses you’ve authorized to send emails using your domain. DKIM acts like a digital signature, letting the recipient know you are who you say you are. When you first configure DMARC, you’ll spend some time classifying which senders you’ve authorized to send emails using your domain, and which you haven’t.

Both SPF and DKIM are essential to your email security setup, but neither prevents exact impersonation. While the protocols tell the recipient who the email is from, the recipient has no instruction to act on this knowledge, i.e. it doesn’t know what to do with your email. 

So, DMARC works by combining the results of SPF and DKIM to determine if your email is authentic and authorized. Then, the DMARC policy you have in place tells recipient servers what to do with it. 

Your DMARC policy is essentially the instruction you give to receiving servers, telling them what to do with emails that come from your domain. There are three policies to choose from:

p=none: this policy tells the recipient server to accept all emails from your domain, regardless of whether they pass authentication or not.

p=quarantine: this policy tells the recipient server to send any emails from your domain that fail authentication to spam.

p=reject: this policy tells the recipient server to reject any emails coming from your domain that fail authentication.

Typically, when you implement DMARC for the first time you will start with a policy of p=none. This policy means that you are in reporting-only mode and you don't want any policy to be applied to your emails if they fail DMARC. During this stage you are simply gaining visibility into how your domain is being used around the world and what services are sending emails on your behalf. At this stage you simply identify your legitimate sending services and configure each one with SPF and DKIM so that they send DMARC compliant emails.

Once you are confident that your sending services are fully configured you can change your DMARC policy from p=none; to p=quarantine. This means that from this point on any emails that fail DMARC will have this policy applied to them, which means that usually they will be sent to the spam folder of the recipient.

If you do not encounter any issues during the p=quarantine; stage and only spoofing emails are being quarantined you can change the policy once more from p=quarantine to p=reject. At p=reject, you are telling recipients to reject any emails that fail DMARC. This means that end recipients will never receive the emails as they will simply be rejected at the SMTP level. This is the strongest level of protection which means that no one will be able to spoof your domain. Any emails that do not originate from your legitimate sending services will be rejected as they will fail DMARC. 

To learn more about the technical ins and outs of DMARC, visit our dedicated DMARC chapter in our Technical Configuration Guide.

Learn more about DMARC, the email security protocol that lets domain owners take back control of their email identity by telling receiving inboxes to reject spoof emails.

What is Domain-based Message Authentication, Reporting, and Conformance (DMARC)? 

DMARC

Global mandates and guidance for DMARC in 2024

For cybersecurity, email security and IT teams, understanding and adhering to global DMARC (Domain-based Message Authentication, Reporting, and Conformance) requirements is imperative. 

At Red Sift, we have put together a tabulated overview of DMARC mandates and guidance enforced across different regions worldwide. Our aim is to provide a clear, unambiguous guide that consolidates the varying global requirements into one accessible format. 

Whether you are an IT security professional, email administrator, or a compliance officer, this table will serve as an essential tool to ensure your organization’s email security aligns with international best practices and requirements.

Global DMARC mandates and guidance

The landscape of email security and authentication is constantly evolving. 

At Red Sift, we understand the complexities involved in implementing and managing DMARC. Our award-winning Red Sift OnDMARC is designed to simplify the path to DMARC enforcement, offering you best-in-class technology and expertise.

We've created a table summarizing global DMARC mandates and guidance, offering a clear and unified overview of regional requirements.

Global mandates and guidance for DMARC

Brand Indicators for Message Identification (BIMI) is an email standard introduced in 2021 that enables businesses to show their brand logo in the avatar slot of the DMARC-authenticated emails they send. It gives assurance to users that an email is from the company it claims to be from by inserting their logo.

BIMI inserts a trademarked logo alongside emails of participating providers. It doesn’t stop phishing/spoofing - that’s DMARC’s job - however, if someone tried to spoof you when you have BIMI in place, your logo won’t appear, and depending on your policy, the email may not even arrive. 

When implemented using a Verified Mark Certificate (VMC), Brand Indicators for Message Identification (BIMI) has a number of benefits for businesses of all shapes and sizes. Showing a verified logo in email using a VMC can help businesses enjoy:

After a 5-second exposure, brands that had applied a trademarked logo increased their recall by up to 44%. The stronger the brand, the higher the recall increase, up to 120%.

Irrespective of brand strength or market share, the inclusion of a trademarked logo uplifts open rates by up to 39% in both transactional and promotional emails.

Improved average purchase increase by 32%

Prospects are more likely to purchase when a trademarked logo is applied. The email open uplift carried over to purchasing decisions with an average buying increase of up to 32%

90% increase in confidence in an email's legitimacy

The use of a trademarked logo in an email using BIMI increased consumer confidence in the legitimacy of an email by as much as 90%.

To find out more about the impact of a visible logo in an email’s avatar location on open rates, brand recall, and buying behavior, read the research report here

Similar to SPF, DKIM, and DMARC records, your BIMI record lives in your DNS as a text (TXT) file. When an email you send arrives in the recipient inbox, the recipient server looks this up to check that it’s coming from a verified sender (using DMARC). Once authenticated, the BIMI TXT file informs the recipient server of the logo’s location, and it is then made visible in the recipient inbox.

A BIMI record is a text (TXT) record that includes your BIMI logo SVG file’s URL. Here's an example: 

v=BIMI1; l=https://bimi.entrust.net/redsift.io/logo.svg; a=https://bimi.entrust.net/redsift.io/certchain.pem

The time it takes to deploy BIMI can vary from business to business. Most of the time, it depends on your organization’s size, the complexity of your infrastructure, your DMARC status, and whether you already have your logo trademarked.

To obtain a VMC, your organization’s domain needs to be in DMARC p=reject. With OnDMARC, this can be achieved in just 6-8 weeks.

Businesses that have benefitted from BIMI

Learn more about how Red Sift has helped big-name brands with their BIMI implementations and how they’ve used the protocol to improve their email marketing and boost email security.

Currently, the list of mailbox providers that support BIMI includes Google, Apple, Yahoo, and Fastmail, among others. Check the full list here.

Learn more about the only integrated BIMI and VMC application available on the market today, Red Sift OnDMARC's BIMI feature

Learn more about BIMI, the email standard that enables businesses to show their brand logo in the avatar slot of the DMARC-authenticated emails they send.

What is Brand Indicators for Message Identification (BIMI)?

BIMI

When it comes to DMARC, it might seem quick and easy to cover just the basics for a basic price. But, you won’t get far on your journey to full protection if your provider doesn’t offer much beyond reporting. Here we provide the type of features, design, and extras that will fast-track your DMARC journey.

Informative dashboards that help you see all the email validations taking place within your domain, allow you to easily identify misconfigurations, and see the scale and frequency of spoofing attacks. 

After report analysis, configure SPF and DKIM policies to ensure that your organization’s identity can only be used by legitimate users. This process should help you to confidently move through the various stages of DMARC implementation until your organization reaches the p=reject policy. 

As your organization grows, you will undoubtedly have to update your DMARC configuration to ensure that your domain continues to be protected and that deliverability is unaffected. A good DMARC product will allow you to easily update and maintain your SPF and DKIM configurations, as well as provide clear alerts if or when one of these breaks.

Brand Indicators for Message Identification (BIMI) 

Deploy BIMI to display your verified logo in the avatar slots of DMARC-authenticated emails to boost brand trust and improve open rates.

An SPF solution that allows you to overcome the 10 SPF lookup limit 

The SPF protocol is limited to 10 lookups. This is often an issue for organizations that use a number of cloud services since they will quickly reach this limit. Once this limit has been reached, legitimate emails may fail SPF authentication. Look for a tool that allows you to safely overcome this 10 SPF lookup limit.

You also want to make sure that your DMARC provider’s SPF solution isn’t macro-based. This is because macros aren’t supported by many legacy email infrastructures, causing huge email deliverability issues. Ensure your provider understands macros but does not rely on them.

Manage your DMARC, SPF, DKIM, BIMI, and MTA-STS records from within the tool

Edit, make changes to, and host records from inside your user interface without having to go into your DNS providing you with autonomy and flexibility.

Easily identify sources failing authentication with forensic reporting

Clear forensic reports for emails that have failed DMARC validation give you comprehensive and useful insight into the individual emails themselves. Be sure to double-check that a provider does this after they’ve redacted the body of the email. 

Immediately check your email configuration

Typically when you make a DNS change, you have to wait for the first aggregate reports to arrive in order to see the impact of the change, this can take up to 24 hours. Some DMARC vendors offer tools that allow you to check the results of changes to your configuration of your SPF, DKIM, FCrDNS, and TLS immediately. 

Seamless integration of data from your DMARC solution with your existing security dashboards creates a one-stop shop for all email security analysis. 

This allows your organization to integrate DMARC  with other key IT systems, such as Okta so that it can be accessed with a single sign-on to an organization’s security setup. 

An implementation package can help your organization put DMARC protection in place more quickly, minimizing your exposure to exact domain impersonation. The services included should enable you to identify valid sources of email within your organization, configure them correctly, and then put DMARC into quarantine or reject.

The benefit of having a managed service is that you have access to a team of experts who are available at all times. These experts can notify you of incident alerts and suggest resolutions, freeing your team up to focus on other tasks.

This is a great resource to have for tackling any ad hoc troubleshooting or getting help using your DMARC tool. OnDMARC incorporates chat functions into its DMARC portal, so with a single click of a button, you can be connected to an engineer ready to help solve your query.

In this chapter, we provide the type of features, design, and extras that will fast-track your DMARC journey.

A buyer’s guide to DMARC: What to look for in a DMARC product 

A buyer's guide to DMARC

Why choose Red Sift for your email security

Founded in 2016, the Red Sift Platform was built as a direct response to the challenges many global organizations were facing when trying to fix vulnerabilities in their cyber infrastructure. 

Red Sift OnDMARC, an automated DMARC application, was the first product to launch on the Platform. It enables businesses all over the globe to easily, quickly, and safely implement DMARC, thus protecting business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing. 

Everything within OnDMARC is designed to save you time and simplify your DMARC journey as you fully secure your domain.

Our powerful automation does all the heavy lifting by continuously analyzing what’s going on across your domain, surfacing alerts for where and how to make necessary changes to your email security. Then simply follow our extensive database with setup instructions for hundreds of well-known email sources.

Full visibility into your sending sources

Within 24 hours of adding your unique DMARC record to your DNS, OnDMARC begins to analyze and display your DMARC reports in clear and comprehensive dashboards. Who is sending on your behalf? Where in the world is your domain being used? Are your emails passing or failing DMARC validation? This gives a complete picture of your email landscape and not just the stuff that crosses your network boundary.

Relying on consultants is a time-consuming process to configure DMARC, leaving you with no ongoing visibility or knowledge of how it works, which may mean calling them again! One of the most commonly reported benefits of OnDMARC is an average time of 6-8 weeks to reach full enforcement.

Once you’ve hit the switch to p=reject, it’s time to celebrate all those blocked impersonation attempts! If any of your defenses break, we’ll alert you of the root cause and provide instructions on how to fix it.

Red Sift’s Customer Success team is here to make setting up and maintaining your DMARC protection as simple and hassle-free as possible. We have a team of specialists available to help you with your DMARC project, from implementation to full in-life management so you can choose the level of support that works for you.

Red Sift CSEs are experienced in the most complex DMARC implementations at companies like Capgemini, ZoomInfo, and Wise, amongst others. Red Sift’s Customer Success is highly regarded by its enterprise customers, including Holland and Barrett, ZoomInfo, and TalkTalk.

Explore our full library of customer case studies here.

Red Sift OnDMARC’s Dynamic Services allows you to solve this problem by controlling these records from within the OnDMARC app. In other words, there’s no need to return to your DNS provider to update any email authentication-related records. Instead, this is done by replacing the static DNS records with OnDMARC’s smart records, either via NS delegation for DKIM and DMARC or a new smart TXT record for SPF.

OnDMARC’s Dynamic SPF feature solves the 10 lookup limit by enabling you to use a single dynamic include to combine all authorized services correctly at the point of query. This prevents your authorized traffic from failing SPF validation and means your email deliverability will never be impacted. 

What makes Red Sift OnDMARC different from all other tools on the market is its Investigate feature. It allows you to test configuration updates in real-time rather than waiting for DMARC data to arrive over 24 hours, drastically reducing the time needed for a DMARC project and speeding up the time needed until full protection is reached. 

DNS Guardian actively monitors your domains for DNS misconfigurations that could lead to domain takeovers. This includes safeguarding against SubdoMailing, dangling DNS records, and CNAME takeovers.

Unique to the market, Red Sift OnDMARC is the only DMARC application that bridges the gap between DNS and DMARC in this way.

To learn more about the feature and how these types of DNS attacks bypass DMARC protections, read our blog.

Red Sift OnDMARC’s BIMI feature is the only integrated BIMI and Verified Mark Certificate (VMC) solution available on the market. It guides you through the full BIMI application process and even helps you obtain a VMC without having to go directly to the Certificate Authority (CA). Issuing VMCs has historically been a tedious process but Red Sift’s integrated process aims to make it easier.

BIMI implementation with Red Sift includes end-to-end support from its Customer Success team. Another advantage is that a free VMC license is included in OnDMARC’s Enterprise tier so organizations don’t need to secure additional budget for BIMI.

Hosted MTA-STS is part of OnDMARC’s Dynamic Services interface. After you have added Smart Records to your domain’s DNS, it will host the MTA-STS policy file, maintain the SSL certificate, and flag any policy violations through the TLS report.

Forensic reporting and machine learning provides granular information on unauthenticated emails while protecting privacy. Red Sift is one of only two DMARC vendors on the market who boast the Yahoo forensics feed that enhances forensic reporting. 

OnDMARC has a REST API that can be used to integrate with your custom dashboards and other internal systems. All endpoints are documented here with working examples; from managing every aspect of Dynamic Services and your email sources to creating your own charts from reporting data. You can also add and remove domains, configure alerts, or analyze any domain programmatically.

Today, we have over 1,000 customers including some of the most recognized brands in the world, such as Capgemini, Domino’s, ZoomInfo, Athletic Greens, Telefonica, and Wise.

The company has strategic partnerships with Google, Microsoft, IBM, and Entrust. From November 2023, Red Sift is the new partner for Cisco Domain Protection.

Red Sift is deeply committed to quality with the following quality and security accreditations:

Members of CyberExchange and Global Cyber Alliance

Data centers in the UK, EU and USA for data residency requirements

We hope that you found this guide a useful way to start building your understanding of DMARC and all its security benefits. We appreciate it’s a lot to take in but remember, if you can find yourself a trusted and proven DMARC provider, you’ll have an expert by your side for your whole DMARC journey, making it easier, faster, and painless.

Find out why over 1,000+ global brands trust Red Sift OnDMARC to help them stay protected from phishing and spoofing attacks.