Meet the company
This case study looks at a non-profit organization specializing in the administration of exchange visitor programs on behalf of the U.S. Government. For more than 50 years they have been responsible for facilitating exchange programs between the U.S. and over 60 countries requiring them to send over 3 million emails each year.
Uncovering services and instantly verifying SPF alignment
With only a basic DMARC reporting tool at the time, the organization knew they were exceeding the SPF lookup limit and that their SPF alignment required attention, but the tool offered no guidance on how to resolve it. With multiple services across the organization sending email on their behalf, the challenge was to identify and secure every sender:
- Discovery: The Chief Technology Officer (CTO) explained, “Unlike other DMARC reporting tools, OnDMARC offered an intuitive interface with clear insight into what is aligned or not aligned for SPF for each service using our domain. This kept us on track and allowed us to get the job done effectively.”
- Validation: The team was able to verify configurations instantly—without waiting 24 hours for DNS changes to propagate—thanks to Investigate. As the CTO noted, “This tool was fundamental. We used Investigate as proof to heads of department that we could safely implement DMARC and SPF without blocking any legitimate business emails.”
- Ongoing protection: After securing their domain with OnDMARC, a 30-day report showed that of the 566,395 emails sent from their domain, 68% were fake. The CTO acknowledged that “due to the nature of what we do, we’re a high-risk industry for phishing scams,” but reports confirmed that all unauthorized emails were successfully blocked from delivery.
Jumping the lookup hurdle to push the project over the finish line
SPF lookups are a common obstacle for IT teams, as the DNS lookup limit is capped at 10. This limit exists to reduce the potential for highly amplified Denial of Service (DoS) attacks against the Internet’s DNS infrastructure. Each email service adds one or more lookups—Gmail alone, for example, adds three.
After an email marketing platform was added to the organization’s services, the CTO noted, “we couldn’t handle the number of SPF entries on our stock integration for all of our email sources,” reinforcing the need for a more capable solution.
It quickly became clear that “we had no guidance on what to do from the weekly digests our previous DMARC reporting tool gave us. It was only when searching for a solution that we discovered Dynamic SPF. This tool, along with OnDMARC’s ongoing guidance, helped us overcome our technical IP limitations and move the project forward by managing all lookups from inside our account.” Once using OnDMARC, the team was able to get to work quickly, simplifying the management of their 20+ entries within the first three days of setting up their account.
Shining a light on Shadow IT to uncover new services
The IT team found that OnDMARC was highly effective in bringing unknown services out of the shadows. This often occurs when an email service is added to the corporate environment without IT’s knowledge. Setting up an automated email marketing platform may seem harmless, but it increases the domain’s number of lookups and may not be properly secured without going through configuration checks first.
The CTO described OnDMARC as a valuable solution, noting that they are “using it to find people signing up for services company-wide. It’s great being able to spot them popping up and making sure they’re secured for use.” As a U.S. Designated J-1 Visa Sponsor, the organization has since been able to confidently sort through email services using their domain, distinguishing legitimate senders and uncovering nearly 7,000 unauthorized ones.
As a result, the team was able to progress confidently to p=reject and significantly reduce unauthorized sending. In just one month, a post-reject report showed a 36% reduction in unauthorized services—and that number continues to decline.
Ready to secure your email-sending domains?