Hi Marc,
Largely echoing others: * This is not a one-week project, you'll be lucky if it's a one-quarter project. To get to a steady state you have to (a) work with every 3rd-party sender used by every business unit in every country in which the companies do business, a non-zero fraction of whom won't [prefer to] speak English and (b) establish working procedural changes for all future uses of email worldwide that include establishing adequate authentication as part of every 3rd-party sender engagement. * Get expert help! There are many pitfalls, you are probably better off learning from a consultant with relevant experience than from angry business units whose revenues you just disrupted... * Definitely pilot with a few domains. Also take for granted the need to set different policies for different domains as you get authentication coverage up to an acceptable level at different times for different domains. * Survey the available tools. A small investment of time now will save you a lot of lost time and disrupted business later. Dmarcian is good. Agari is good. I assume Return Path is good. I have probably offended several people by forgetting about other excellent options. * Yes, you can send feedback for many domains to a single domain, but there is an access control protocol: the domain receiving all of the feedback has to publish specific additional DNS records to authorise mail-receivers/feedback-senders to send to an address in that domain (otherwise DMARC would provide a DDoS vector). All of the DMARC-feedback-analysis service providers provide destination addresses with this already set up, all of the large receivers performing DMARC processing will honour this when sending feedback. Good luck! - Roland [http://www.trustsphere.com/images/signatures/trustsphere.png]<https://www.trustsphere.com> Roland Turner | Labs Director Singapore | M: +65 96700022 roland.tur...@trustsphere.com<mailto:roland.tur...@trustsphere.com> ________________________________ From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Marc Luescher via dmarc-discuss <dmarc-discuss@dmarc.org> Sent: Wednesday, 4 November 2015 19:48 To: dmarc-discuss@dmarc.org Subject: [dmarc-discuss] Neebie Questions about Spoofing Prevention and DMARC implementation Hi there, I am new to this mailing list but have the challenging task to implements SPF, DKIM and DMARC on Cisco Ironports for two extremely large worldwide companies with 100's of e-mail domains each. To make things more challenging by end of next week as we are under heavy spoofing attacks. So far we have implemented a lot of defensive mail filters on the Ironports to validation of domain, friendly names, AV, etc and are tagging all incoming e-mails so the end user can more easily find them in his inbox under the following structure, witrh rules doing the work : Inbox --Internal TO only CC --External Primary Trusted Partner Social (Facebook, Linkedin etc) Public (public mailers) Newsletters (tagged) Potential SPAM It is my current understanding that the following order of things should be followed : a) Publish a DMARC record with a domain to collect feedback b) Deploy SPF for the mail domains c) Deploy DKIM for the mail domains d) Monitor SPF, DKIM and DMARC e) Implement DMARC policy to quarantain and/or reject It is my plan to start doing this with 1 or maybe 2 domains to get going. My questions now : a) does this sound like a good plan ? b) in regards to dmarc records you need to specify an email adress for replies, can this always be the same e-mail for all 100's e-mail domains ? c) Did i miss something ? I will be documenting this implementation and am happy to share for interested parties as it involved Notes, Outlook, Cloud, ironports and much more. Thank you Marc
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)