Hello Marc, Sorry to hear about your spoofing troubles. The situation sounds urgent and complex.
My first suggestion would be to set expectations with your management team. You are embarking on a large project that will unearth email complexities that are not currently understood or appreciated. The DMARC policies you put in place to reduce harm from spoofing could also block important legitimate email sent via 3rd parties. That collateral damage will have a business impact, and must be anticipated and managed. When we implemented a DMARC policy at SendGrid, we discovered that some business units used 3rd party hosted apps that sent mail on our domain's behalf. Some of those apps (like HR software or ops monitoring services) sent mail from a broad range of external shared IPs, so we had to find ways to get them to route our mail differently -- through dedicated IPs that we could safely add to our SPF record. For some weeks we'd occasionally discover new sources of legitimate mail that was being rejected or quarantined, then work with the affected business unit and their 3rd party tech partner/app to correct the issue. You asked: b) in regards to dmarc records you need to specify an email adress for replies, can this always be the same e-mail for all 100's e-mail domains ? Yes, you can route your forensic and aggregate DMARC reports to the same address for all your domains. There are several good 3rd party services that can consume your DMARC reports. I suggest you configure your rua and ruf with an internal email address. That will allow you to archive the raw reports and then forward or relay the reports to one or more tools or 3rd party services that will consume the reports and provide you with useful metrics and actionable insights. Best of luck on your project. Regards, Paul Kincaid-Smith On Nov 4, 2015, at 05:00, Marc Luescher via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: Hi there, I am new to this mailing list but have the challenging task to implements SPF, DKIM and DMARC on Cisco Ironports for two extremely large worldwide companies with 100's of e-mail domains each. To make things more challenging by end of next week as we are under heavy spoofing attacks. So far we have implemented a lot of defensive mail filters on the Ironports to validation of domain, friendly names, AV, etc and are tagging all incoming e-mails so the end user can more easily find them in his inbox under the following structure, witrh rules doing the work : Inbox --Internal TO only CC --External Primary Trusted Partner Social (Facebook, Linkedin etc) Public (public mailers) Newsletters (tagged) Potential SPAM It is my current understanding that the following order of things should be followed : a) Publish a DMARC record with a domain to collect feedback b) Deploy SPF for the mail domains c) Deploy DKIM for the mail domains d) Monitor SPF, DKIM and DMARC e) Implement DMARC policy to quarantain and/or reject It is my plan to start doing this with 1 or maybe 2 domains to get going. My questions now : a) does this sound like a good plan ? b) in regards to dmarc records you need to specify an email adress for replies, can this always be the same e-mail for all 100's e-mail domains ? c) Did i miss something ? I will be documenting this implementation and am happy to share for interested parties as it involved Notes, Outlook, Cloud, ironports and much more. Thank you Marc _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
