We've put together a short video on our own DMARC deployment process:
This video is part of a larger video series on all things DMARC.
The transcript follows:
This short video describes dmarcian's home-grown DMARC deployment process.
Invented and refined by helping organizations of all sizes deploy DMARC, the dmarcian approach efficiently integrates DMARC and its benefits into an organization at minimal cost.
The dmarcian approach is a lightweight project management framework that can be used to install DMARC at any organization. Project management is a specialized discipline that is used to introduce change within an organization. Project management is all about making specific changes to existing processes. Projects start, complete their work, and then shut down.
Project management ends up being the right approach to deploying DMARC, as email is used everywhere by everyone, all the time, and so changing email usually requires people from across an organization to participate in the project. There is a distinct technology component that is usually handled by a small team of technicians, but the interesting parts of DMARC deployment are usually found in the human condition -- communicating changes while baking DMARC into existing day-to-day operations.
The overall project framework is quite simple. Before starting, the organization should identify who or what is responsible for registering domains so that a complete list of all domains belonging to the organization can be created. If there is no centralized authority at the organization for tracking domains, one need to be created. At dmarcian, we call this authority the "Domain Management Function". The purpose of the domain management function is to bring together information related to each domain -- who is responsible for it, what is it used for, and what controls or monitoring should be in place around it.
At larger organizations, a project team should be formed that pulls together stake-holders from across the organization. Representatives from DNS, Messaging, Marketing, Legal, and InfoSec are usually present. The project should be sponsored by an executive as the project will necessarily cross administrative boundaries within the organization. With the project team in place, the work can begin in earnest.
Starting with a complete list of domains is ideal, as the job of installing and maintaining DMARC becomes far simpler. Instead of having to repeat deployment steps -- or worse, having to duplicate training and communication -- the domain management function acts as the place where DMARC can be hooked into the organization and remain part of day to day operations.
As a side note, the domain management function ends up being extremely useful outside of DMARC. Maintaining domain registrations, ensuring that websites have up to date SSL certificates, keeping track of domain ownership, making sure DNS-related operations are consistent -- all of these activities are greatly simplified when a domain management function is in place. So, the first thing dmarcian does is make sure this function exists.
With the domain management function in place, DMARC data should be collected for all domains. Start by publishing DMARC records with a policy of "p=none" so that simple data collection can occur without impacting any production email. The data that DMARC produces is invaluable for understanding what is going on with any given email domain. dmarcian's tools process and analyze DMARC data so that an organization can focus on fixing up infrastructure instead of wading through the nuances of DMARC feedback.
After putting in place DMARC records to collect data on all domains, the project team shifts to getting email streams into compliance with DMARC. The process is a tight 3 step loop: Assess, Remediate, and Maintain. Each domain is put through the 3 steps so that all legitimate sources of email are identified, sources of email are brought into compliance with DMARC, and then once all sources have been remediated, the domain is monitored for ongoing DMARC compliance.
During the execution of this 3 step loop, the project team develops internal resources to communicate the upcoming installation of DMARC-based controls. This communication can be as simple as an internal wiki page that explains the controls, or it can be as complicated as a series of contractual reviews that require partners to comply with the organization's email sending standards. A key reason for developing this internal resource is to allow the project team to complete its work while leaving behind a set of resources that will educate future employees about the existing DMARC-based controls. Without this resource, operations teams might find themselves having to respond to fire drills whenever a new and overly eager marketing effort comes along and attempts to send email on behalf of the organization without realizing that DMARC controls are in place. This can be a very embarrassing situation! The internal resource helps to curtail any angst that arises from situations like this.
As domains go through and complete the 3 step loop, DMARC based controls can be installed. Start with the "quarantine" policy to make sure results are expected and to give the project team time to respond to any unanticipated issues. When confident that DMARC coverage is accurate, move to the "reject" policy. Again, make sure results are expected, and give the project team more time to respond to unanticipated issues. As more domains move through the 3 step loop, the organization develops checklists and expertise around the ongoing operation of DMARC.
At the end of the DMARC deployment project, the organization has baked DMARC into daily operations. As new domains are registered or acquired, the domain management function puts the domains through the 3 step process, and DMARC compliance is installed and maintained from the very beginning.
This deployment process has proven to be effective and requires only minor changes to adapt to any given organization's unique character.
Some organizations recognize that DMARC is a one time deployment exercise and chose to contract with dmarcian to supply project management services. Feel free to contact us to see if our services fit your organization's needs.
To get started with DMARC, visit dmarcian.com.
News, resources, additional reading can be found at space.dmarcian.com
Questions? contact email@example.com
Social? dmarcian is on Linked-in, G+, twitter, and maybe more.
Thank you for watching!