Last updated: 
5 months 1 week ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

A strategy for DMARC compliance for outsourced e-mail

Friday, April 21, 2017 - 13:13

The popularity of software-as-a-service (SaaS) applications presents challenges for successful e-mail delivery. The application provider takes on the responsibility for supporting e-mail infrastructure, and as a customer you have a lack of traditional hands-on control of e-mail processing, routing and controls.

There are several options to ensure that e-mail sent from SaaS applications is DMARC compliant, but resources and capabilities limit the choices for most organisations: not all applications support both SPF and DKIM, and SPF has limitations on the length and number of DNS records involved.

At Jisc we are using the following preferences as a strategy towards increased DMARC compliance for outsourced e-mail. In order of preference:

  1. DKIM. As the customer we retain control over per-provider public DKIM records (and can immediately stop publishing them if we choose to) and the application provider is able to change, modify and scale their infrastructure and IP addressing without involving us.
  2. SPF. Application providers who have less of an understanding of DMARC and DKIM often support SPF. It does not require implementation within their MSA. Downsides include:
    • It increases the length of our limited-size SPF record.
    • It can increase the number of DNS lookups allowed in SPF beyond ten.
    • Include: statements are fragile. Broken and included SPF records break the parent SPF record
  3. Problems of include: statements can be avoided by directly copying IP addresses into SPF records, but also means the provider has to notify customers of changes in IP addressing.
  4. Jisc’s MSA. Application providers can configure their systems to relay mail directly through Jisc’s own systems. DMARC compliance is then handled by Jisc’s systems rather than the provider.
  5. The application never sends e-mail from our domains. This is not ideal, but continued sending of non-compliant e-mail from our domains hampers efforts to help recipients identify and filter unauthorised e-mails.