With Google, Microsoft, and Yahoo’s sender requirements, proper DKIM signing isn’t just a nice-to-have anymore—it’s non-negotiable for getting your emails delivered.

But here’s the thing: setting up DKIM keys is only half the battle. If you’re like most organizations, you’ve probably got a few questions:

• How often should you really rotate your keys?
• What happens if you mess up the rotation process?
• Are your current keys strong enough?
• What if your keys get compromised?

The good news? DKIM key management doesn’t have to be the headache it used to be. Whether you’re setting up DKIM for the first time or looking to establish a solid key rotation practice, this guide will walk you through everything you need to know.

And if you’re thinking “I already have DKIM set up, I can skip this”—you might want to stick around. Email authentication requirements have evolved, and what worked in 2023 may not suffice in 2025. Those 1024-bit keys that used to be standard? They’re quickly becoming yesterday’s best practice as more providers push for stronger encryption.

We’ll cover everything from initial setup to automated rotation with clear step-by-step directions. No unnecessary jargon, no complicated theory, just practical steps to keep your email authentication strong and your deliverability healthy.

Understanding DKIM key basics

DKIM (DomainKeys Identified Mail) is your email’s digital signature. Just like you wouldn’t send an important contract without signing it, your emails need this signature to prove they’re really from you.

Here’s what makes up a DKIM signature:

• Private key that lives on your email server (keep this one safe!)
• Public key that sits in your DNS records (this one’s visible to everyone)
• Selector, which is basically a label that helps find the right public key

Here’s how it works. When your email server sends a message, it uses the private key to create a unique signature based on the email’s content. The receiving server uses your public key to verify that signature. It’s like having a lock and key pair—except in this case, thousands of receiving servers might need to check that lock every day.

Before you start: DKIM key prerequisites

Before diving into key generation, make sure you have:

• Access to your DNS records (or someone who does)
• Administrative access to your email sending infrastructure
• A plan for storing your private keys securely
• A way to track your key expiration dates (trust us, you’ll thank yourself later)

And here’s something people often overlook: if you’re using multiple email service providers (ESPs), you’ll need separate DKIM keys for each one. That marketing newsletter going through Mailchimp? It needs different keys than your customer service emails going through SendGrid.

Setting up DKIM keys: step-by-step

1. Generating your DKIM key pair

Remember when 1024-bit keys were the gold standard? Those days are gone. Here’s what you need to know about key strength in 2025:

• 2048-bit RSA keys are now the minimum recommended length
• Some providers are already testing 4096-bit keys
• Ed25519 keys are gaining traction (they’re shorter but just as secure)

Here’s how to create them. You’ve got options here. If command-line tools make you break out in a cold sweat, don’t worry—there are plenty of alternatives:

• OpenSSL (for the command-line comfortable)
• Web-based DKIM generators (convenient but use with caution)
• Your ESP’s built-in tools (if available)
• Email authentication platforms (they handle the technical bits)

And before moving forward, verify that your key pair:

• Actually matches (you’d be surprised how often they don’t)
• Uses the right algorithm (RSA is still king, but watch this space)
• Has the correct length (remember: 2048 bits minimum)

2. Adding the public key to your DNS

This is where things often go sideways. One misplaced character in your DNS record can send your DKIM implementation straight to the “invalid signature” graveyard. Let’s break it down:

Your DKIM record needs to live at a specific address in your DNS. The format looks like this:

selector._domainkey.yourdomain.com

Don’t just copy-paste that—replace “selector” with your actual selector name (like “mail” or “key1”) and “yourdomain.com” with your actual domain.

Your public key needs some specific formatting in DNS:

• Strip out headers and footers from the key
• Remove all whitespace and line breaks
• Add the correct TXT record tags
• Keep an eye on those quotation marks (they matter)

3. Implementing the private key

This is the part you absolutely don’t want floating around in someone’s inbox or posted on a public wiki (yes, we’ve seen both happen). Your private key is like the master key to your email kingdom. Here’s how to keep it safe:

• Store it in a secure key management system—not in a text file named “DKIM_KEY.txt” on your desktop
• Limit access to only the people and systems that absolutely need it
• Keep backups, but treat them with the same level of security as the original
• Document where it’s stored (but not the key itself) in your security procedures

Pro tip: If you’re using multiple mail servers, each one needs access to the private key. Consider how you’ll distribute and update these keys securely before you start implementing.

Now, your email servers need to know three things:

1. Where to find the private key
2. Which selector to use
3. What parts of the email to sign

Most EPSs will handle the private key storage and implementation, but it’s still good to understand where (and how) they’re using your domain. All you’ll typically need to do is add your ESP’s provided public key to your DNS.

DKIM key rotation: why and when

Remember when we all used the same password for everything and never changed it? (Some of you are nervously looking at your “Password123” right now, aren’t you?) Well, DKIM keys are kind of like passwords—they need regular updates to stay secure. Here’s why:

• Keys can be compromised (even if you don’t know it happened)
• Older keys might use outdated encryption standards
• Your email volume might have outgrown your current key strength
• Some team members who had access to the keys might have left
• Requirements and best practices keep evolving

When should you rotate your DKIM keys?

Don’t wait until your keys are about to expire or until Google sends you a scary warning. Set up a reminder system—your future self will thank you. Here’s a practical timeline for rotating your DKIM keys:

• Minimum: Every 12 months (mark your calendar)
• Ideal: Every 6 months (if you’ve got the process down)
• Immediately if:
  • You suspect a security breach
  • A team member with key access leaves
  • You’re upgrading your email infrastructure
  • You notice any unusual email delivery issues

You can (and should) have two active keys at once during rotation. Think of it like changing the locks on your house—you want the new lock installed before you throw away the old keys.

Most DNS providers support multiple DKIM records using different selectors:

key1._domainkey.yourdomain.com

key2._domainkey.yourdomain.com

This approach lets you: 

• Test new keys before retiring old ones
• Avoid any downtime during rotation
• Roll back quickly if something goes wrong

Step-by-step key rotation process

1. Preparation phase

First things first: you need your new keys ready to go before you touch the old ones.

• Generate your new key pair using current standards (2048-bit minimum in 2025)
• Choose a new selector name (not the same as your current one)
• Test the keys offline before you go anywhere near your production system
• Triple-check that your public and private keys match (seriously, do it)

Pro tip: Name your selectors something meaningful like “jan2025” instead of just “key1.” Future you will appreciate knowing when the key was created without digging through documentation.

2. Implementation phase

This is where the parallel key approach pays off:

1. Add your new DKIM record with a different selector
   1. # Example: If your old record was key1._domainkey, your new one might be:
   2. jan2025._domainkey.yourdomain.com
2. Wait for DNS propagation (it takes a little bit of time)
3. Verify the new record is visible worldwide (use multiple DNS checkers)

Now comes the smooth part:

• Configure your email server to sign with both keys
• Start with a small percentage of your email flow
• Gradually increase the volume using the new key
• Keep the old key active, but reduce its usage

Pro tip: Send test emails to multiple providers (Gmail, Yahoo, Outlook, etc.) during this phase. Each one might handle the transition slightly differently.

3. Completion phase

Once you’re confident the new keys are working (usually after 24-48 hours of successful parallel operation):

• Update your email server to use only the new key
• Monitor for any issues for at least a few hours
• If all looks good, remove the old DNS record
• Keep the old private key in your secure backup for a few more days

If anything goes wrong during any phase, you can always roll back to your old key—that’s why we kept it around during the transition. It’s like having a spare tire. You hope you won’t need it, but you’ll be glad it’s there if you do.

How to verify your DKIM is working

First, let’s do some basic verification. Send a test email to yourself at a Gmail account and check the headers. (Don’t worry, we’ll show you how to find those cryptic-looking headers in a second.)

Look for these signs:

• A header that starts with “DKIM-Signature”
• Authentication-Results showing “dkim=pass”
• Your domain and selector in the signature

If you’re thinking “headers what now?”—don’t worry. Here’s how to find them:

In Gmail:

1. Open your test email
2. Click the three dots (⋮) next to the reply button
3. Select “Show original”

In Outlook:

1. Open your test email
2. Click File → Properties
3. Look for “Internet headers”

You can also check your current DKIM status for free with Valimail Monitor. All you need to do is create a free Monitor account (no trials or credit cards required).

Automate your DKIM management with Valimail

Managing DKIM keys manually might have worked in the past, but “set it and forget it” doesn’t cut it anymore. From key length to rotation schedules to deprecated keys lingering in DNS, there’s a lot that can go wrong. And every misstep opens the door to phishing, spoofing, and failed delivery.

That’s why we built our DKIM Continuous Protection—a new enterprise feature in Valimail Enforce that gives you a real-time, centralized view of every DKIM key across your domain landscape, complete with automated alerts and direct controls.

Here’s what you get:

• A dashboard showing the age, strength, and last use of every key
• Warnings for keys that are expired, unused, or below the recommended 2048-bit length
• Instant visibility into which selectors and sending platforms are tied to each key
• Safe recommendations on when to retire or rotate keys
• One-click edit and delete actions for key management at scale

With this feature, you no longer have to rely on spreadsheets, manual DNS checks, or outdated key tracking processes. You get everything you need to enforce DKIM best practices—automated, visible, and continuous.

Want to see it in action? Schedule a demo and learn how Valimail can simplify your DKIM key management, improve email deliverability, and strengthen your domain’s defenses.

The post How to set up and rotate your DKIM keys in 2025 first appeared on Valimail.

This is what enterprise security teams have to deal with, and manual DMARC management simply doesn’t scale. Identifying every email service across multiple business units, manually updating DNS records, monitoring authentication failures, and maintaining enforcement policies becomes a full-time job (or several).

This leads to most enterprises either never reaching DMARC enforcement or taking years to get there, leaving their domains vulnerable to spoofing and phishing in the meantime.

Automated DMARC configuration solves this problem. It handles the complexity, scales effortlessly across your entire email ecosystem, and gets you to enforcement faster. And best of all, it doesn’t require an army of engineers or eat up your security team’s bandwidth.

What is DMARC enforcement?

DMARC enforcement is the state where your DMARC policy is set to either quarantine or reject, instructing mailbox providers to block or filter emails that fail authentication. This is the point where DMARC shifts from monitoring to active protection against domain spoofing and phishing.

DMARC has three levels:

1. Monitor (p=none): You’re collecting data about who’s sending email using your domain, but not taking any action. Failed emails still get delivered. This is useful for visibility, but it doesn’t actually protect you.
2. Quarantine (p=quarantine): Emails that fail DMARC authentication are sent to spam folders. This provides some protection while still allowing recipients to check their spam if needed.
3. Reject (p=reject): Emails that fail DMARC are blocked entirely and never reach the inbox. This is full enforcement and maximum protection.

The challenge is getting to enforcement safely. Before you can set your policy to quarantine or reject, you need to identify every legitimate sending source and double-check that they’re all properly authenticated. Miss even one service, and legitimate emails get blocked, and that’s why most enterprises get stuck at p=none indefinitely.

DMARC enforcement is where real protection happens, though. It’s what stops attackers from impersonating your domain, protects your brand reputation, and meets compliance requirements.

Why it’s so difficult to maintain enterprise DMARC enforcement

Enterprise DMARC enforcement isn’t just harder than small business DMARC—it’s a completely different challenge. Here’s why most large organizations struggle:

• Scale makes everything exponentially harder. You’re not managing one domain. You’re managing dozens, hundreds, or even thousands across multiple brands, subsidiaries, and regions. Each domain has its own set of sending services, authentication requirements, and stakeholders. What works for your main corporate domain might not work for your regional offices or acquired companies.
• Hundreds of legitimate senders to identify. Enterprise organizations use countless services that send email: marketing platforms, CRMs, helpdesk tools, HR systems, notification services, transactional email providers, and more. Different departments use different tools, often without coordinating with IT or security. Identifying every single legitimate sender across your entire organization is like finding needles in a haystack…except there are thousands of needles and the haystack keeps growing.
• Constant organizational change. Companies acquire other businesses. New departments spin up. Teams adopt new SaaS tools. Services get replaced or retired. Every single change impacts your email authentication, and if your DMARC configuration doesn’t keep pace, something breaks. Either legitimate emails get blocked (because you removed a service that’s still in use) or your protection weakens (because new services aren’t properly authenticated).
• Compliance and regulatory requirements. Many industries require DMARC enforcement as part of their security standards. Financial services, healthcare, government contractors—they all face mandates that include email authentication. But meeting those requirements manually means dedicating significant resources to DMARC management, often pulling security staff away from other priorities.
• Limited resources and competing priorities. Your security team is already stretched thin. They’re dealing with vulnerabilities, incidents, compliance audits, and a dozen other urgent issues. Manually managing DMARC across hundreds of domains is something most organizations simply don’t have the headcount to do.

Manual DMARC management doesn’t scale. Enterprises that try to manage DMARC manually either never reach enforcement or spend years getting there, and that leaves their domains vulnerable the entire time.

How DMARC automation solves the issue(s)

Automation transforms DMARC from a resource-intensive manual process into a scalable, efficient system that actually keeps pace with enterprise complexity. Here’s how DMARC automation helps an enterprise reach (and maintain) DMARC enforcement:

• Automated service discovery eliminates the guessing game. Automated DMARC solutions scan your email traffic and identify senders automatically. They translate raw IP addresses into recognizable service names (like “Salesforce” or “Mailchimp”) so you know exactly who’s sending and can authorize them with a single click.
• One-click authorization replaces ticket workflows. When a new service needs to be added, there’s no IT ticket, no DNS changes, no waiting. Authorized users simply click to approve the service, and the system handles SPF and DKIM configuration automatically.
• Continuous monitoring catches changes in real-time. Automation continuously monitors your email traffic for new senders, authentication failures, and potential threats. If a new service (legit or not) starts sending email using your domain, you’re alerted immediately.
• Centralized management across all domains. Automated platforms give you a single dashboard where you can manage authentication for your entire email ecosystem. Set policies, authorize senders, and monitor status across hundreds of domains from one place.
• Policy enforcement that scales. Moving from monitoring to enforcement doesn’t require massive coordination efforts. Automated systems let you gradually enforce DMARC across your organization—starting with low-risk domains, then expanding to others as confidence builds.
• Audit trails and compliance reporting are built in. Every change is logged automatically. Every authentication attempt is recorded. When auditors ask about your email security posture, you have comprehensive reports ready to go.

How Valimail automates DMARC at enterprise scale

Valimail Enforce is built for enterprise complexity. The platform automatically identifies sending services from a database of over 70 million pre-decoded IP addresses, so you instantly see who’s sending email using your domains without any manual detective work.

One-click authorization replaces the entire DNS ticket workflow. When marketing needs to add a new service, they authorize it in Valimail, and authentication updates happen automatically. 

No IT bottleneck, no manual DNS changes, no delays.

Valimail’s patented Instant SPF technology eliminates the 10 DNS lookup limit, so enterprises can authorize unlimited sending services without breaking SPF. And as the only FedRAMP-certified DMARC provider, Valimail meets the strictest government and compliance standards.

Our solution helps enterprises reach DMARC enforcement four times faster than with manual approaches or competing solutions (often within 45 days instead of taking years). That’s automated email authentication that actually scales.

Automate your DMARC enforcement with Valimail

Manual DMARC management at enterprise scale is unrealistic. The complexity, constant changes, and resource demands make enforcement nearly impossible without automation.

Valimail Enforce eliminates the manual work. Automated sender discovery, one-click authorization, unlimited SPF lookups, and continuous monitoring mean your security team can finally focus on strategic priorities instead of drowning in DNS tickets and DMARC reports.

Stop letting DMARC sit at p=none while your domains remain vulnerable. Automate your path to enforcement and protect your brand without the extra work.

If you’ve been struggling with DMARC fails and troubleshooting email authentication, we’re here to help! You can book a free consultation with us to walk through any of your issues, and we’ll provide advice and guidance on how to overcome them.

Ready to make progress on your DMARC project? Get guidance on your next step.

Frequently asked questions about automating DMARC for enterprises

The post How to automate DMARC enforcement at enterprise scale first appeared on Valimail.

Mary Lawler and the Valimail marketing team win silver in the 2025 Globee® Leadership Awards

We’re proud to share that Mary Lawler, Valimail’s Vice President of Marketing, has been honored with a Silver Globee® Award for Marketing Executive of the Year in the 2025 Globee Awards for Leadership.

Additionally, Valimail has been recognized as a Silver Globee® Business Awards Winner in the Marketing Team-Department of the Year category.

The Globee Awards celebrate leaders shaping the future through innovation, vision, and measurable impact. 

Under Mary’s leadership, Valimail’s marketing strategy has evolved to spotlight both our cutting-edge technology and our mission to make email safer and more trustworthy for everyone. This team’s creative, data-driven approach has strengthened Valimail’s brand presence and customer engagement, while a people-first leadership style continues to inspire teams company-wide.

Learn more about the 2025 Globee Awards for Leadership here.

Valimail wins three Stevie® Awards for culture and customer experienece

Valimail also earned three Stevie® Awards this summer, further recognizing the company’s commitment to trust, inclusion, and excellence.
{add Stevie badge}

In the 2025 Stevie® Awards for Great Employers, Valimail received:

• Bronze for Employer of the Year (Computer Software)
• Bronze for Achievement in Coaching and Mentoring

These awards highlight Valimail’s focus on building a culture where people can thrive, grow, and lead with impact.

And in the 2025 Stevie® International Business Awards, our Customer Support Team took home the Gold for Support Team of the Year, recognizing their dedication to helping organizations succeed through responsive, expert service.

From industry-leading innovation to a culture rooted in trust and growth, these honors reflect what Valimail stands for: empowering people and organizations to communicate safely and confidently.

Congratulations to Mary Lawler and the entire Valimail team for these incredible achievements, and thank you to our customers and partners for continuing to trust us as your ally in success.

Here’s to reaching even greater heights in 2025!

The post Valimail and VP of marketing Mary Lawler earn top honors for leadership, culture, and customer excellence first appeared on Valimail.

Finally, someone with the right access manually updates the DNS records. Then you wait for propagation. Then you test. Then you realize there’s a typo, and the whole cycle starts over.

Meanwhile, your campaign is delayed, your team is frustrated, and your domain remains vulnerable to spoofing because the proper authentication records still aren’t in place.

This is the DNS bottleneck, and it’s one of the biggest obstacles to maintaining strong email security. Manual DNS management isn’t just slow and error-prone; it actively works against the agility and security that modern email authentication demands.

Below, we’ll break down why manual DNS processes create major problems for email security, what risks they introduce, and how organizations can move past this bottleneck without sacrificing control or security.

The problem with manual DNS management

Most organizations treat DNS management like nuclear launch codes. It’s tightly controlled, heavily gated, and requires multiple layers of approval before anyone can touch it. 

DNS is a critical infrastructure. One wrong entry can break your website, tank your email deliverability, or create security vulnerabilities. So IT teams build protective processes around it: ticketing systems, approval workflows, change management procedures, and limited access to only a handful of trusted administrators.

Here’s what the typical manual DNS workflow looks like:

1. DNS Change Request: Someone (usually from marketing, sales, or another team) realizes they need a DNS change to add a new email service, update authentication records, or fix a deliverability issue. They submit a ticket to IT with the details of what needs to change.
2. IT Review: IT reviews the request to make sure it’s legitimate and won’t break anything. This might involve checking with security, confirming the requester’s authority, or validating the technical details.
3. Ticket Assignment: The ticket gets assigned to someone with DNS access—often just one or two people in the entire organization who have the credentials and knowledge to make changes.
4. Manual DNS Update: That person manually logs into the DNS management console, finds the right record, makes the change, and publishes it.
5. DNS Propagation: Then everyone waits for DNS propagation (which can take hours or even days, depending on TTL settings).
6. Testing: Someone tests to confirm the change worked correctly. If there’s an error, then you start the whole process over.

This workflow can take days or even weeks for a single DNS change.

The problem isn’t that IT is being difficult or overly cautious, either. They’re doing their job. The real problem is that manual processes can’t keep pace with the speed that modern email security demands (and the delays create vulnerabilities).

Why manual DNS updates sabotage your email security

Email authentication isn’t set-it-and-forget-it. It needs constant adjustments as your email ecosystem evolves (and it always will). Every time you add a new marketing platform, switch CRM providers, or onboard a new SaaS tool that sends email, your DNS records need updating.

And that’s where manual DNS management becomes a serious security problem:

• Email authentication needs speed, but manual DNS delivers delays. When you add a new email service, it needs to be authorized in your SPF record and configured with DKIM before it can send authenticated email on your behalf. But if that DNS update takes a week to process, you’re stuck. Either you wait (and your business grinds to a halt), or you start sending unauthenticated emails that fail DMARC and get blocked or filtered to spam.
• Security threats don’t wait for approval workflows. Imagine finding that someone is spoofing your domain to send phishing emails. The fix is easy: tighten your DMARC policy from p=none to p=reject. But if that change requires a ticket, approvals, and a three-day turnaround, those phishing emails keep flowing while you wait for internal bureaucracy to catch up.

• Outdated records create vulnerabilities. You stop using an old email service, but never remove it from your SPF record. That’s because submitting another DNS ticket feels like too much hassle (and nobody has time for that). Now that the abandoned service is authorized to send email as your domain indefinitely.
• Human error multiplies with manual entries. One misplaced character, one missing semicolon, one typo in a domain name…that’s all it takes to break your entire email authentication setup. When someone is manually typing DNS records into a console, mistakes happen. And those mistakes might not be caught until emails start bouncing or failing authentication.

Manual DNS processes weren’t designed for the dynamic, fast-moving realm of email authentication. They create gaps between when security is needed and when it’s actually implemented, and attackers are happy to exploit those gaps.

The solution: Automate your DNS management

Fortunately, you don’t have to choose between security and speed. Automated DNS management solves the bottleneck problem while actually improving security and control.

Here’s what automated DNS management looks like:

When you authorize a new email service, the automated system automatically updates your SPF record. When you configure DKIM for a new sender, the keys are published instantly. When you need to adjust your DMARC policy, it happens in real-time without tickets, waiting, or manual typing.

This helps you gain:

• Speed: Changes happen in minutes instead of days or weeks. Your team can respond to business needs and security threats without waiting on approval chains.
• Accuracy: Automated systems don’t make typos. They generate properly formatted DNS records every time, eliminating syntax errors and misconfigurations.
• Auditability: Every change is logged automatically. You know exactly who made what change and when, creating a clear audit trail that manual processes often lack.
• Scalability: Whether you’re managing five domains or 500, automation handles the complexity without requiring more headcount or creating more bottlenecks.

Automation doesn’t mean losing control, either. The best automated DNS solutions maintain appropriate oversight and security while removing the friction that slows everything down.

And that’s where we come in.

Valimail uses a simple CNAME delegation method to update your DNS records. You create one CNAME record that points to Valimail, and from that point forward, all your email authentication records (SPF, DKIM, DMARC) are managed automatically through Valimail’s platform.

Here’s how it works in practice:

• Marketing wants to add a new email service: They authorize it in Valimail with a single click. The SPF record updates automatically. DKIM keys are generated and published instantly. No IT ticket required.
• A third-party service needs to be removed: Revoke authorization in Valimail, and it’s immediately removed from your authentication records.
• Your DMARC policy needs tightening: Change it in Valimail’s interface, and the update is live within minutes.

IT maintains full visibility and control through role-based access. They can see every change, set approval workflows if needed, and revoke access at any time. Now, the day-to-day management happens automatically, freeing IT from being a bottleneck while keeping them in control.

This ultimately leads to email authentication that moves at the speed of business, with accuracy and security that manual processes can’t match.

Valimail Monitor (free) gives you visibility into your current email authentication status, while Valimail Enforce automates the entire DNS management process for email security. No more tickets, no more delays, no more typos—just fast, secure email authentication that works.

Fix the DNS bottleneck with Valimail

Manual DNS management might have worked when email authentication was simple and changes were rare. But now, manual processes create more problems than they solve.

The bottleneck isn’t inevitable, and it only gets worse as your organization scales. Automated DNS management gives you the speed and accuracy you need without sacrificing control or security.

Valimail eliminates the DNS bottleneck entirely. Start with Monitor for free visibility into your email authentication, or jump straight to Enforce for fully automated DNS management that keeps pace with your business.

Feel like you’re somewhere in the middle? Stop struggling with DNS changes and talk to someone who gets it. We have Valimail experts who are here to sit down during a free consultation and explore how to solve problems with your DNS.

Frequently asked questions about manually-managed DNS

The post Why manual DNS updates are sabotaging your email security first appeared on Valimail.

Now, with Google announcing that enforcement is ramping up, senders who fail to meet the standards are more likely than ever before to see their mail deferred, delayed, or rejected.

Here’s what you need to know to ensure your mail still gets delivered.

What changed?

Google quietly updated its bulk sender guidelines FAQ to note: “Starting November 2025, Gmail is ramping up its enforcement on non-compliant traffic. Messages that fail to meet the email sender requirements will experience disruptions, including temporary and permanent rejections.”

The requirements themselves haven’t changed, but they are signaling that enforcement is changing, increasing. Google is warning it will actively delay or reject inbound email that doesn’t comply, moving us a step beyond mere “recommendations.”

What this means for senders

Bulk email senders (those who send 5,000+ messages to Gmail addresses in a 24-hour period, including marketers, CRMs, SaaS platforms, and newsletters) are now much more likely to find messages delayed or rejected if not fully compliant with Google’s bulk sender requirements.

Expect temporary deferrals (4xx errors), slower delivery, and possibly outright rejections (5xx errors) for mail that fails authentication or violates their published policies.

Google’s looking for properly authenticated email messages, passing SPF, DKIM, and DMARC checks, including successful SPF or DKIM alignment. Your sending IPs, hostnames, and domains must resolve with proper rDNS in place, and a valid HELO/EHLO mail server configuration. Mail connections must be encrypted with TLS. You must make it easy to unsubscribe, with clear and easy opt-out options, including the one-click list-unsubscribe mechanism and respecting (ceasing to send mail to) preferences of those recipients who choose to opt-out.

Display names (friendly from) and subject lines must not be deceptive or confusing. Don’t mimic user interface elements (like implementing emoji checkboxes in the friendly from), and all email sent must comply with relevant RFCs (meaning no doubling up on headers like the from address or subject line).

And finally, Google wants you to keep the spam complaint rate (the percentage of email recipients indicating that your email is unwanted using the “report spam” button) below 0.1%.

Be sure to review the full list of requirements from Google, which you can find here.

What hasn’t changed

Google’s requirements were announced way back in October 2023, with initial enforcement steps from early 2024. Initial enforcement was characterized by a “light touch.” That has changed, and it is now time to be ready for more active enforcement. Think of it as moving from “warning mode” to “ticketing mode.” If you’ve ignored DNS alignment warnings, continue to send mail in light of an elevated spam complaint rate, or failed to fix unsubscribe links, those will now result in blocked mail.

It’s not just Google

Earlier in 2025, Microsoft rolled out its own bulk sender requirement guidelines, with a speedy enforcement timeline: updated requirements announced in April, and enforcement began in May. Microsoft moved quickly to begin rejecting non-compliant email messages, and this move from Google brings us even closer to parity in sender requirements (and enforcement of those sender requirements), with Google indicating that they’re increasing enforcement of their requirements.

The alignment helps level the playing field: bad actors and sloppy senders are more likely to be filtered out, while legitimate, authenticated senders are more likely to see better inbox placement. Together, this highlights the “new normal,” where authentication, DMARC, and good sending practices are no longer optional.

What senders should do right now

Are you fully compliant, and are you now more likely to see email messages delayed or rejected when sending to Gmail subscribers? It’s time to check your domain configuration and email send practices to ensure that you’re in the best position to avoid new deferrals and rejections, this month or in the future.

Verify your SPF, DKIM, and DMARC configurations to ensure proper authentication checks and alignment. Verify DNS and domain settings are correct, confirm that your unsubscribe mechanism is up to par, and review email marketing stats to ensure that complaint rates aren’t high enough to be negatively noticed. The Valimail Domain Checker is a great place to start; it’ll help you check your DMARC record and policy, SPF authentication settings, and more.

Look for SMTP deferrals and rejections related to sender compliance and authentication failures. Not only can these be found in mail server logs, but Google now incorporates a whole host of SMTP rejection information in DMARC aggregate reporting. This is especially handy for an organization-wide review for sender compliance, moving you beyond having to review multiple SMTP-level log streams individually.

Keeping trust in email

The reason for these requirements and enhanced enforcement is to help protect the email ecosystem. The goal is to keep email usable by making it easier to identify senders, both good and bad, to help improve efforts to identify problematic mail. To keep good mail in the inbox, and keep unwanted email messages away. If you’re a good sender, doing things right (your email messages authenticate correctly, you manage reputation, and respect user choice), you stand to benefit from these changes.

Between Microsoft’s enforcement wave earlier this year and Google’s latest crackdown, we’re watching the industry standardize around requirements focused on authenticated and wanted email. Compliance with email sender requirements is no longer optional.

And that compliance begins with visibility. Our free Valimail Monitor solution can help you see who is sending on behalf of your domains, track SPF/DKIM/DMARC pass/fail and alignment by sender, and help you catch configuration gaps before mailbox providers delay or block your email messages.

The post Google ramping up sender compliance enforcement first appeared on Valimail.

According to recent reports, in 2025, customers are expected to spend nearly $80 billion on Black Friday and Cyber Monday, an increase from $20 billion last year. A big contribution to this spending is email marketing, as consumers are searching for the best discounts and deals.

61% of consumers said that they prefer hearing about Black Friday deals from an email, while SendGrid reported that there was a 13% rise in Black Friday email volume year-over-year.

You’re already doing everything you can to prepare for Black Friday email marketing success. Your infrastructure is locked into place, your warming and segmentation plans are defined, and your Black Friday email campaigns are designed and ready to be loaded into your automation platform.

But how can you top your metrics and success from last year? We have a little secret that could boost your open rates by 20% this Black Friday. 

The answer? Brand Identifiers for Message Identification (BIMI).

What is BIMI? 

Brand Identifiers for Message Identification (BIMI) puts your logo in the inbox directly next to your Black Friday email, outshining missing or grayed-out initials. BIMI works with many email clients and webmail providers, such as Gmail, iCloud, Yahoo, and others. 

To enable BIMI on your domain, you need to either have a Common Mark Certificate (CMC) or a Verified Mark Certificate (VMC). In the past few months, Google announced that it would support CMCs, which don’t require trademarked logos. This announcement opens the avenue for more brands to get their logo next to a branded email. 

BIMI offers many benefits, including increased brand visibility, higher user engagement, and a consistent brand experience. Some BIMI users can also receive the blue verified checkmark next to their name in the Gmail inbox. 

Why BIMI matters more than ever in 2025

Retailers and e-commerce brands are leaning harder than ever into email marketing, which means inbox competition is fierce. In fact, in the retail and e-commerce space in 2024, BIMI adoption grew 40%. If you’re not adopting BIMI, your brand is becoming less competitive in the space.

Not all brands have implemented a BIMI logo because it’s still a relatively new and emerging technology. More than 20,000 of the top domains have implemented a BIMI logo, which might sound like a lot, but millions of brands haven’t explored their BIMI opportunity. 

By trailblazing your way to implementing a BIMI logo, you’ll get your logo (and attention) to display in places that competitors are missing out on.

The BIMI logo shows that your email domain is fully secure, which drives more subscriber trust. More importantly, BIMI drives additional engagement, giving you the chance to drive even more Black Friday email marketing revenue this holiday season. 

Every logo that gets seen in your email is also a brand impression. Digital marketers are most likely already using display ad networks like Google and Facebook to drive brand impressions as part of a digital marketing strategy. The great news about email is that you can get amazingly low CPIs in comparison. Depending on which display ad network you are using, you could be paying $2-6 per impression. 

Depending on the email volume you send to Google and Yahoo subscribers, with BIMI, you can see CPIs for as little as 10 cents or less. During the holiday season, just think about how all of those brand impressions could add up – more site visits, more search volume, and potentially more revenue.

“We were looking for a solution that could increase our brand protection and brand visibility by having our logo show up in our inbox without having to trademark our logo. The Common Mark Certificate (CMC) [and BIMI] helped us achieve this.”

Global Financial Management Company

Implementing BIMI on your email domain is more than just an upgrade; it’s a game-changer for your Black Friday email marketing strategy. With the ability to display your brand logo next to your emails, you’re not only enhancing your brand’s credibility. Thank it as the next evolution of email marketing, where trust and visibility drive open rates, engagement, and ultimately more revenue. 

How to implement BIMI in time for Black Friday

Here’s your checklist:

• Reach DMARC enforcement.
  Deploy Domain-based Message Authentication, Reporting, and Conformance (DMARC) and get to enforcement (p=reject or p=quarantine) to qualify for BIMI.
• Get a certificate.
  Choose either a Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) through DigiCert.

If you’re unsure which one to choose, this table can help you choose the best option for your Black Friday email marketing strategy:

• Upload your logo.
  Prepare a tiny SVG logo file and host it securely. This file must meet specific formatting standards.
• Publish your BIMI DNS record.
  Point your DNS record to your logo file and certificate. Valimail helps ensure this step is validated and error-free.

Sounds easy, but is your domain able to implement BIMI? Check your BIMI status for free with Valimail’s domain checker:

DigiCert + Valimail: The fastest path to BIMI

Enabling BIMI starts with DMARC enforcement, which is the essential foundation for sender identity and domain protection. Valimail’s platform makes this easy and fast, with automation that removes the complexity from DMARC management.

From there, DigiCert provides the required BIMI certificates (VMC or CMC), offering a secure and recognized path to displaying your logo.

Now that DigiCert has acquired Valimail, together, you get:

• Automated DMARC enforcement with Valimail Amplify
• Verified brand identity with DigiCert VMC/CMC
• A smooth BIMI implementation experience, just in time for your holiday campaigns

FAQs about BIMI for Black Friday

The post Increase Cyber Monday and Black Friday email open rates with BIMI first appeared on Valimail.

Just kidding. Well, mostly.

From online shopping to job applications, we’re constantly sharing bits of ourselves through our inboxes. That information—your name, address, social security number—that’s what we call PII, or Personally Identifiable Information.

Here’s the thing about email and PII: they were never designed to go together. Ever. Email was created for open communication, not secure data transfer. Yet here we are, attaching documents with our banking details and sending messages with our home addresses, all while malicious actors are working overtime to intercept this information.

At Valimail, we take a different approach. Unlike many email security providers, we don’t collect, store, or process your PII. Our authentication technology focuses on securing the email channel itself without needing access to sensitive personal data. It’s security without the privacy tradeoffs.

Below, we’ll walk you through what actually counts as PII (it’s more than you might think), why it matters so much in email communications, and practical steps to keep it safe. This isn’t just for IT professionals. It’s for business owners, developers, builders, marketers, and practically anyone who touches PII in any capacity. 

What is PII (Personally Identifiable Information)?

PII stands for Personally Identifiable Information, data that can be used on its own or combined with other information to identify, contact, or locate a specific person. 

Think of PII as the digital breadcrumbs that, when put together, create a trail leading directly to you. Okay, it’s kind of scary when we put it like that.

Unlike anonymous data (like general statistics about website visitors), PII is specific to you as an individual. It’s the information that makes you uniquely you in databases and systems across the internet.

PII comes in two main types:

• Direct identifiers
• Indirect identifiers

Direct identifiers are the obvious information that points to you without needing any additional context:

• Full name
• Social Security number
• Email address
• Phone number
• Home address
• Driver’s license number
• Passport details
• Biometric data (fingerprints, retina scans)
• Account numbers (bank, credit card)

Indirect identifiers might not identify you on their own, but when combined with other information, they start to create a unique profile:

• ZIP code
• Date of birth
• Gender
• Race or ethnicity
• Job title and employer
• Educational background
• Medical information
• Device identifiers
• IP addresses

For example, knowing someone’s birth date alone doesn’t tell you who they are. But combine that with their ZIP code and gender, and you’ve narrowed things down a lot. Research has shown that these three pieces of information (ZIP code, birth date, and gender) can uniquely identify up to 87% of Americans.

What PII isn’t

There’s often confusion about what constitutes PII. General information like “male customer from California” isn’t PII because it applies to millions of people. Neither is truly anonymized data that’s been stripped of identifying elements and aggregated.

Business contact information exists in a gray area. Your work email and office phone number are technically PII, but they’re often treated differently under various regulations because they relate to your professional rather than personal life.

Weird, right?

Now, the consequences of exposed PII go beyond just annoying spam emails:

• Identity theft: With enough of your PII, criminals can open credit accounts, file tax returns, or apply for benefits in your name.
• Financial fraud: Direct access to financial PII means direct access to your money
• Targeted phishing: The more someone knows about you, the more convincing their scam attempts become.
• Personal safety: Location data and contact details in the wrong hands can lead to stalking or harassment.
• Reputational damage: For both individuals and companies, when PII breaches become public.

Understanding what constitutes PII is the first step in protecting it. And when it comes to email (one of the most common places where PII gets shared), knowing what you’re looking for is half the battle.

PII in email communications: Where’s the risk?

Email wasn’t built with security in mind. It was designed in the 1970s when the internet was just a small network of trusted academic and military computers. Fast forward to today, and we’re using this same basic technology to send sensitive personal information across a global network that’s practically swimming with threats.

And here’s where those risks are in terms of email:

1. Transmission vulnerabilities

When you send an unencrypted email containing PII, that information passes through multiple servers before reaching its destination. At any point in that journey, the data could be intercepted, especially over unsecured networks like public Wi-Fi.

The average corporate email account sends and receives 126 emails daily. That’s a lot of potential PII flying around unprotected.

2. Storage issues

Once an email reaches its destination, those PII risks don’t disappear. Emails don’t just vanish after they’re read. They sit in inboxes, archives, and backups for months or years. That tax document with your Social Security number you emailed last April? It’s probably still hanging out in someone’s inbox or saved on a device that could be lost, stolen, or hacked.

Many people access their email across multiple devices: work computers, personal laptops, phones, and tablets. Each device is another potential access point for unauthorized users.

3. Human error

We all make mistakes, and when it comes to email, those mistakes can expose PII:

• Sending sensitive information to the wrong recipient (thank you, autocomplete)
• Replying to all instead of just one person
• Forwarding email chains without realizing they contain PII further down
• Falling for phishing attacks that trick you into sharing personal data

A single misdirected email containing a customer database can expose thousands of individuals’ personal information in an instant.

4. Impersonation problems

Email lacks built-in identity verification. Cybercriminals exploit this flaw through domain spoofing—sending emails that appear to come from trusted sources. These impersonation attacks often target PII directly:

• Fake HR emails requesting employee information
• Spoofed bank communications asking for account details
• Impersonated executives requesting W-2 forms or other sensitive employee data

Without proper email authentication (looking at you, DMARC), it’s surprisingly easy for attackers to make an email look like it’s from your bank, your boss, or your healthcare provider.

5. Lifecycle vulnerability

Vulnerabilities exist throughout the entire information lifecycle:

• Creation (PII entering the email system)
• Transmission (PII moving between servers)
• Use (PII being accessed by recipients)
• Storage (PII sitting in inboxes and archives)
• Disposal (or lack thereof—many emails are never properly deleted)

Unlike purpose-built secure messaging systems, Email leaves PII exposed at multiple points. And because email is so ubiquitous and convenient, we often use it without thinking about these vulnerabilities.

Identifying PII in your organization’s emails

PII can be scattered across thousands of messages, attachments, and archives, and it’s often in formats and locations you might not expect.

Start with the obvious places: HR communications, customer service emails, and financial correspondences. These typically contain the highest concentration of personal data. But don’t stop there. Marketing emails with customer lists, inter-departmental messages about projects, and even seemingly innocent meeting invites can contain identifying information.

For smaller organizations, sampling representative emails from different departments can give you a sense of where PII lives in your systems. Look for patterns in how information flows—who sends sensitive data, who receives it, and how it’s formatted.

Larger organizations will need automated PII scanning tools that can search across email archives using pattern recognition for common PII formats (like Social Security numbers) and contextual clues (phrases like “date of birth” followed by dates). Still, even these can become a problem if they scan and keep that information.

Don’t forget about attachments: documents, spreadsheets, and PDFs frequently contain more sensitive information than the emails themselves.

How to safeguard PII (the right way) in your emails

Protecting PII in emails doesn’t have to mean implementing complex systems that make everyone’s job harder. Nobody wants that. The best security measures blend into your workflow while still providing protection. Here’s how to get it right:

1. Start with the simplest question: Does this PII need to be in an email at all? Usually, no. Sometimes the best protection is not sending sensitive information in the first place. Consider secure document sharing platforms or customer portals for transmitting truly sensitive data like SSNs or financial details.
2. Encryption is your friend: End-to-end encrypted email services guarantee that even if someone intercepts your message, they can’t read its contents. Many email providers now offer encryption options with just a click or two.
3. Email authentication: Email authentication protocols like DMARC, SPF, and DKIM protect against the most common email-based PII threats: phishing and impersonation attacks. They verify sender identity to prevent attackers from posing as trusted entities to extract personal information.
4. Email hygiene: Regularly purging old messages containing PII, using secure passwords with multi-factor authentication, and being careful about email access on mobile devices reduces your risk profile.
5. Training: Most PII breaches happen from human error, not sophisticated hacking. Regular training sessions on recognizing sensitive information and understanding proper handling protocols go a long way toward preventing costly mistakes.

Email authentication’s role in PII protection

Email authentication protocols like DMARC, SPF, and DKIM prevent the most common attack vector for PII theft: impersonation.

Think about it: most major data breaches start with someone pretending to be someone they’re not. “Hello from IT, we need your login details.” “HR here, please confirm your SSN.” Without authentication, these spoofed emails cruise right into inboxes.

When only legitimate senders can use your domain, email authentication stops attackers before they can trick employees or customers into sharing sensitive information. It’s preventative medicine for your email ecosystem—addressing the problem at its source rather than trying to contain a breach after the fact.

Curious if your domain is currently vulnerable to spoofing? Take two minutes to run your domain through Valimail’s free Domain Checker tool (no signup required)—it’ll tell you.

Why DMARC RUF (forensic reports) are risky

If you care about protecting PII, there’s a silent privacy hazard hiding in many DMARC setups: RUF forensic reports. Unlike RUA (aggregate) reports, which summarize sending sources and authentication outcomes at a high level, RUF reports can include message-level details about specific emails that failed authentication. That often means PII.

What RUF reports can expose:

Depending on the sender and implementation, RUF reports may contain:

• Full or partial message headers (From, To, Reply-To, Subject)
• Sender and recipient addresses (sometimes the original recipient)
• Message subject lines and occasionally snippets or body content
• Attachment names, embedded URLs, and IP addresses
• Internal routing data (Message-IDs, mailhost details)

There are a lot of breadcrumbs, precisely the kind that turn into a trail back to a real person.

Instead of using RUF reports, here are some safer alternatives that protect your PII:

• Use RUA aggregate reports only; they deliver insights most teams need, like sending sources, pass/fail rates, and alignment.
• Enable TLS-RPT to monitor transport security issues without exposing message content.
• Instrument at the edge for deep forensics when truly needed, under your existing access controls and retention policies.
• Apply strict retention and access if you must keep RUF.
• Use Valimail for aggregate intelligence and TLS reporting, plus automation to give you the visibility you need without the privacy tradeoffs.

Keep your PII safe with proper email authentication

Identifying what PII is and how to protect it in email communications is just the first step. The real challenge is implementing safeguards that don’t disrupt your daily operations. That’s where we can help. 

Valimail secures your email channel without collecting or storing any PII, protecting privacy while preventing impersonation attacks that lead to data breaches. We do this through DMARC automation, guaranteeing that spoofers can’t use your brand to trick employees, customers, or partners.

Want more comprehensive protection? Try Valimail Monitor for free and get detailed insights into who’s sending email using your domain (legitimate senders and potential impersonators alike), all without exposing your sensitive data.

The post What is PII? How to safeguard personal data in emails first appeared on Valimail.

91% of cyberattacks start with a phishing email, and 90% of those emails contain no malware but use executive spoofing, gift card scams, or account takeovers.

According to the FBI, in the last 10 years, $50.5 billion was the reported loss to Business Email Compromise (BEC). Meanwhile, a similar report listed spear-phishing attacks as the most popular attack vector used by observed hacker groups.

Phishing and spear phishing are both examples of social engineering cyber attacks. Social engineering manipulates victims into revealing sensitive information, such as passwords, social security numbers, and bank account details. 

Both regular phishing and spear phishing attacks are used to spread malware, such as ransomware, through malicious links and downloads. Spear phishing attempts, however, pose a more direct cyber threat to organizations than regular phishing.

To help you prevent attacks and boost your email security, we’ve broken down the key characteristics of phishing and spear phishing below.

What is spear phishing?

Spear phishing emails are a more advanced form of phishing. Spear phishing is a specific and targeted attack on one or a select number of victims, while regular phishing attempts to scam masses of people.

In spear phishing, scammers often use social engineering and spoofed emails to target specific individuals in an organization. They may impersonate family members, colleagues, or business acquaintances.

Scammers often use social media to legitimize their requests to gain information on their target.

When contacting the target, they will address them by name and use personal facts and/or casual language. They may also use malware to gather private information.

Their primary goal is to manipulate employees into revealing sensitive data or committing unauthorized actions, such as wire transfers to fraudulent companies.

Scammers of this nature commonly employ two methods of attack: 

1. Whaling attacks: These are attacks aimed at senior executives, i.e., individuals with the power to access confidential information and (unknowingly) enable a data breach or approve a large money transfer.
2. CEO fraud: Targeted attacks against junior employees where the attacker impersonates a senior authority (for example, the CEO) or other high-level colleagues. They then pressure the reader into taking unauthorized actions. 

What is phishing?

Regular phishing campaigns cast a broad net, whereas spear phishing emails are a more targeted approach to cybercrime.

However, that doesn’t make regular phishing emails any less of a threat.

Phishers commonly spread their scams over email, though they may target random individuals over phone calls (“vishing” ) or text messages (“smishing”). Phishing is a volume play. Out of thousands and thousands of attempts, at least one will be successful.

However, unlike spear-phishing attackers, everyday scammers use impersonal but urgent language to manipulate readers into downloading a malicious attachment, clicking an unsafe link, or disclosing private information such as credit card details or login credentials.  

Phishing can happen in many different ways, including:

• Vishing: Phishing over phone calls or downloaded internet protocols (Voice over Internet Protocol or VoIP).
• Smishing: Phishing over text messages, also known as SMS phishing. Just as with computers, hackers can infect phones with malware. 
• Business email compromise (BEC): As with spear phishing attacks, general phishing attempts use spoofed or hacked email addresses to lure in victims.
• Wire transfer phishing: This form of phishing is geared towards bank transfers to fraudulent entities.

Difference between spear phishing vs phishing

While spear phishing and phishing share a lot in common, they both threaten your business with different risks—and the security measures you take to defend against them differ. Here’s an at-a-glance list of differences between spear phishing and standard phishing:

1. Attack style

• Spear Phishing: Think of spear phishing as a skilled fisher with a single line, selecting the perfect bait for a specific fish. The angler studies the fish’s habits, preferences, and environment, ensuring the lure works. This precise approach makes the catch more likely and harder for the fish to recognize as a trap.
• Phishing: On the other hand, standard phishing is like a large fishing trawler casting a wide net into the ocean. The goal is to capture as many fish as possible, without concern for the type of quality. This method is about quantity, not quality.

2. Personalization

• Spear Phishing: Cybercriminals spend time understanding their target’s habits, relationships, and interests. They craft personalized messages that appear legitimate and relevant to the recipient, making the deception much more convincing.
• Phishing: Standard phishing emails lack this level of personalization. They are typically generic and sent to large groups of people. The messages might include common phrases like “Your account has been compromised” or “You’ve won a prize,” which can be easily spotted by savvy users.

3. Urgency

• Spear Phishing: These attacks often build a sense of trust over time, making the recipient feel comfortable and less suspicious. The attacker might not immediately ask for sensitive information but instead gradually gain the victim’s confidence before striking.
• Phishing: Urgency is a common tactic in standard phishing. The emails often create a sense of immediate action required, such as “Click here to update your password immediately” or “Your account will be locked if you don’t respond within 24 hours.” This urgency is designed to make victims act quickly without thinking.

4. Purpose

• Spear Phishing: The goals are usually more specific and high-stakes. Attackers might be after confidential company information, financial details, or access to specific systems. They often target high-ranking executives, finance departments, or individuals with access to valuable data.
• Phishing: The objectives are broader and usually aim to collect a range of information from a wide audience. Attackers might be looking for login credentials, credit card numbers, or personal information that can be sold or used in further attacks.

5. Prevention

• Spear Phishing: Because of its targeted nature, spear phishing can be more challenging to detect with traditional security measures. It requires more sophisticated defense strategies, such as advanced threat detection systems, employee training, and strict verification processes for sensitive requests.
• Phishing: Standard phishing can often be caught by spam filters and basic email security tools. However, user education and awareness are still important because some phishing attempts can slip through these defenses.

7 tips to protect from spear phishing & phishing

It takes just one act to infect a computer and potentially compromise an entire organization. Fortunately, the right tools and information can thwart even the most invasive attacks. Here are a few simple steps you can take today to prevent phishing attacks of all kinds.

1. Encrypt your data

In any case, where your data or device is stolen, data encryption will ensure that the attacker cannot access or use the data.

2. Use multi-factor authentication 

Multi-factor authentication is one of the best ways to ensure protection when your credentials or passwords are compromised. Attackers can only access your data if they’ve authorized entry on every single authentication channel. In almost all cases, they won’t be able to do this.

3. Authenticate your email

This best practice is meant to prevent the primary way credentials are stolen. You can authenticate your email through various methods, such as configuring DMARC, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).

Want to get visibility into the bad senders using your domain? Valimail Monitor identifies all of your senders by name, rather than IP address. This way, you can ensure only authorized senders can utilize your domain.

4. Never open a suspicious email attachment

One malicious link or attachment has the power to lock you out of your device, steal sensitive data, and delete critical files. For these reasons, it’s imperative that you read through any suspicious or even unexpected emails.

Though you may recognize the sender, it never hurts to double-check with them before opening an email attachment.

5. Keep software current and updated

By enabling automatic downloads on all applications and operations systems, users are less likely to be compromised by potential security exploits and phishing attempts.

6. Use strong passwords and regularly update them

Hackers can crack 90% of all passwords in just under six hours. Most people use recycled passwords at home and in the workplace, which poses a serious security risk.

Fortunately, users can deter cybercriminals by developing strong password habits and tools like password managers.

7. Stay up to date and follow best practices 

Given the right incentives, anyone can fall prey to a phishing attack. Sharpen cybersecurity know-how with regular security training sessions and briefings. Make sure to regularly check the newest best practices as phishing tactics continuously evolve.

How DMARC safeguards your entire business

Organizations are highly encouraged to implement DMARC authorization protocols and solutions to fortify their security efforts and ensure 360-degree protection.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is the gold standard for strong email authentication. It ensures that only authorized senders can send emails using your domain and restricts unauthorized users from malicious acts such as email spoofing, phishing, and spear phishing. It’s so important that multiple federal governments, including the US, UK, and Germany, require it for all government emails.

It combines and leverages the email authentication standards, SPF and DKIM. As a website or business owner, you want to ensure that all visitors or recipients will only view emails that you personally have sent or authorized. DMARC is the most effective way to completely secure your email and ensure that every email is intentional, safeguarded, and free of cybercriminal activity. 

Bonus: Not only do DMARC solutions safeguard your email activity, but they can positively impact your organization’s reputation and brand. DMARC effectively protects your brand by thwarting unauthorized parties from sending malicious emails, preserving your brand’s voice and integrity.

Additionally, DMARC reports provide increased visibility and transparency into your email activity. This level of visibility allows you to identify and further prevent any suspicious acts.

Curious what your domain’s DMARC status is? Use Valimail’s free domain checker to get a baseline of your phishing protection:

Protect your business from phishing with Valimail

Both regular phishing and spear phishing campaigns have the power to damage an organization’s credibility. The right email security can avert phishing attacks with simple protocols.

At Valimail, we provide automated DMARC configuration for organizations of all sizes, boosting deliverability rates and protecting brand integrity from spoofed emails. Valimail optimizes DMARC enforcement so organizations can rest assured, knowing only authorized senders can reach out to customers, partners, and employees. 

Thanks to our user-friendly authorization tools, DNS configuration requires little to no technical expertise. Just set your authorization once and keep your domain secure forever.

In addition to added security, our easy-to-use platform provides detailed analytics and rich, real-time supplemental data to help you get the outreach you need. Protect yourself with Valimail. We’ve blocked over 8.6 billion bad actors and we get you to DMARC enforcement 4x faster than legacy DMARC vendors and 8x faster than DIY so your email is protected.

Frequently asked questions about spear phishing vs phishing

The post Phishing vs. spear phishing: Why one attack is getting harder to catch (2025 update) first appeared on Valimail.

We won’t beat around the bush. Implementing DMARC all on your own can be complicated and frustrating. The DNS records, the reporting, the implementation—it’s a lot. You’ve got a business to run, and you’re probably thinking: “Do I really need to learn another technical thing?” 

The answer is no, you don’t. That’s where hosted DMARC comes in.

Email authentication isn’t sexy, but it’s the infrastructure that keeps your brand’s reputation intact. When someone can send emails pretending to be your company, that’s game over for trust. And trust is the ultimate currency in business.

Below, we’ll walk you through everything you need to know about hosted DMARC: what it is, what it does, when you should use it, and if it’s worth your hard-earned money. 

What is hosted DMARC?

Hosted DMARC is a managed service that handles the implementation, monitoring, and maintenance of your DMARC email authentication policy. It eliminates all the technical complexity while protecting your domain from email spoofing and impersonation attacks.

We know you don’t wake up thinking about email authentication. Nobody does (except maybe us). Still, here’s the deal: if you’re sending emails, you need DMARC. 

It’s what tells receiving mail servers, “Hey, this is actually coming from my company, not some scammer.” Unfortunately, setting up DMARC yourself is like trying to build your own car…yes, technically possible, but why put yourself through that pain?

Hosted DMARC takes all the technical work off your plate. Instead of you figuring out SPF records, DKIM signatures, and parsing those impossible-to-read XML reports, a service handles it for you. You get a dashboard, actionable insights, and someone else deals with the DNS headaches and those frustrating 10 DNS lookup limits that make traditional DMARC implementation a nightmare.

Think about it like this: You wouldn’t try to be your own lawyer or accountant if you’re running a serious business. The same principle applies here. Email authentication is a specialized skill, and hosted DMARC gives you access to that expertise without having to become an expert yourself.

The real value isn’t just saving time, though. It’s getting it right the first time. Because when DMARC goes wrong, your legitimate emails stop reaching people. And nothing kills your business faster than customers not getting your messages because you messed up some technical implementation.

Want to see where you stand? Start with Valimail Monitor: our free solution that checks your current email authentication status and shows you exactly what needs fixing. No strings attached.

The real-world problems hosted DMARC solves

Most companies are just one major spoofing attack away from serious damage to their brand. And when that happens, having “we were planning to get around to DMARC eventually” as your explanation isn’t going to cut it with your customers or your board.

Email security is all about preventing actual attacks that target your business every single day. Hosted DMARC solves specific problems that are costing companies millions and destroying brand trust:

• Domain impersonation attacks: When criminals send emails that look exactly like they’re from your company, tricking your customers, partners, and employees into giving up money or sensitive information.
• Technical complexity overload: DMARC implementation involves multiple technical components (SPF, DKIM, DNS records) that require specific expertise and constant maintenance (expertise most IT teams simply don’t have time to learn).
• The notorious 10 DNS lookup limit: SPF has a hard technical limitation of 10 DNS lookups that becomes a massive headache for companies with multiple email service providers, marketing tools, and cloud services.
• Report analysis paralysis: DMARC generates complex XML reports that are practically unreadable without specialized solutions.
• Visibility gaps: Without proper monitoring, you have no idea who’s legitimately sending email using your domain versus who’s trying to impersonate you.
• False positives: Incorrectly implemented DMARC policies can accidentally block your legitimate emails, destroying your deliverability and costing you business opportunities.
• Compliance headaches: Many industries now require email authentication as part of regulatory compliance with real consequences for failing to implement proper protection.

Who actually needs hosted DMARC?

Not everyone needs hosted DMARC. If you’re a tiny business with simple email needs and someone on your team who actually understands email authentication, DIY might work. But that’s not the case with a lot of businesses.

You absolutely need hosted DMARC if you’re running a complex email ecosystem. We’re talking about companies using multiple email service providers, marketing automation tools, CRM systems, support ticketing systems—all sending emails on your behalf. That 10 DNS lookup limit in SPF becomes your biggest problem, and hosted DMARC providers have built solutions specifically to solve this.

Organizations with limited technical resources are prime candidates, too. Your IT team is already stretched thin handling every other tech crisis that pops up. They don’t have time to become email authentication experts, monitor DMARC reports daily, and constantly update records as your email infrastructure changes. 

Think about: When was the last time anyone at your company looked at a DMARC report? Exactly.

If your business depends heavily on email communication, you can’t afford to get this wrong. Financial services, healthcare, e-commerce and retail, SaaS companies: when your emails stop delivering because of a DMARC misconfiguration, you’re losing real money every minute until it’s fixed. Hosted DMARC gives you experts on call who’ve seen every possible implementation issue and can fix problems fast.

Companies with compliance requirements need this too. DMARC is increasingly showing up in regulatory frameworks and security compliance checklists. Having a managed solution means you can actually prove you’re following best practices when the auditors come asking.

If you’ve tried the DIY approach and failed (which happens way more often than people admit), it’s time to get help. Email authentication isn’t getting any simpler, and the scammers aren’t taking a day off. Sometimes the smartest business decision is knowing when to bring in specialists.

The pros and cons of hosted DMARC

There’s rarely a one-size-fits-all solution for everyone. Hosted DMARC has some advantages and disadvantages that you need to know before making the investment:

Pros

• Expertise on demand: You get access to specialists who live and breathe email authentication all day, every day. There’s no need to develop this specialized knowledge in-house.
• Time savings: Implementation that might take your team months can be completed in days or weeks. Valimail gets you to DMARC enforcement 4x faster than other vendors, and 8x faster than doing it on your own.

• Advanced reporting: Hosted solutions transform unreadable XML reports into actionable dashboards that actually show you who’s sending email as your domain.
• Scalability: Hosted DMARC solutions handle the scaling challenges without you having to redesign your authentication approach.
• Ongoing maintenance: Email sending services change and new marketing tools get added, but hosted solutions automatically adjust your authentication to accommodate these changes.
• Technical workarounds: Hosted providers have specialized solutions to overcome problems like 10 DNS lookup limits in SPF. Valimail’s Instant SPF® is a patented macro that provides a foolproof workaround to the DNS lookup limit.
• Support when things break: When legitimate emails stop delivering (and at some point, they will), you have experts to call who can diagnose and fix issues quickly.

Cons

• Subscription costs: You’re paying monthly or annually for something you could technically do yourself.
• Integration requirements: Some solutions require changes to your email sending infrastructure that might be challenging to implement in certain environments.
• Varying levels of service: Not all hosted DMARC providers are created equal. Some offer bare-bones services while others provide full management, hands-on service, and consulting.
• Learning curve: You still have some minimal responsibilities. It’s not a lot, but there’s still some knowledge required to use these platforms effectively.

Ultimately, you can do DMARC yourself. That’s not the question. More importantly, it’s whether that’s the best use of your limited time and resources. 

How to know if hosted DMARC is worth the investment

Let’s start with the real cost of doing nothing. What happens if someone impersonates your domain and successfully phishes your customers or employees? The financial impact goes beyond direct fraud and includes: brand damage, lost customer trust, and potential regulatory fines. 

One successful phishing attack can cost more than many, many years of hosted DMARC service.

Now look at your current resource allocation. How many hours is your team currently spending on email authentication? DIY isn’t free if it’s consuming valuable IT resources that could be focused on revenue-generating projects. Sometimes the most expensive solution is the one that eats up your team’s time.

Your email complexity matters, too. The more email senders you have (marketing platforms, CRM, support tools, etc.), the more value you’ll get from hosted DMARC. If you’re sending from more than 3-4 services, the complexity multiplies rapidly, and hosted solutions start making a lot more sense.

Be honest about your technical capabilities. Does your team have the expertise to implement and maintain DMARC correctly? Remember, mistakes don’t just mean incomplete protection—they can break your email delivery entirely. When must-see business emails stop reaching customers because of a misconfiguration, that downtime has a real cost.

Compliance requirements can tip the scales. If you’re subject to regulations that mandate email authentication (increasingly common), the cost of non-compliance might far exceed the investment in a hosted solution. Having a managed service gives you documentation and proof of best practices when the auditors come.

The question isn’t “Can we afford hosted DMARC?” but rather “Can we afford the consequences of getting email authentication wrong?” For most growing businesses sending important emails, that answer is pretty obvious.

Take the stress out of email authentication

Email security shouldn’t be a never-ending headache. You can keep wrestling with DIY DMARC—or you can talk to someone who solves these problems every day.

“In addition to their exceptional technology, Valimail’s customer support team deserves special mention. They have been responsive, knowledgeable, and highly professional in every interaction. Whether it was resolving technical queries or providing guidance on best practices, their team has consistently gone above and beyond to ensure our satisfaction.”

Lucas Ferreira Cunha, Chief Executive Officer (CEO) at Woffice

If your email setup is complex, messy, or just not working the way it should, we’ve got you.

Schedule a free 1:1 session with a DMARC expert, no pressure, no sales pitch. Just real help.

The post Is hosted DMARC worth it? Pros, cons, and when to use it vs managing it on your own first appeared on Valimail.

That’s why asking the question: “Do I need to receive DMARC emails?” is more important than you might think.

DMARC is a key email authentication protocol that can secure your domain and protect against attacks. However, implementing DMARC enforcement is just one piece of the puzzle. You also need the visibility and insight provided by DMARC email reports. Why are you receiving these DMARC email reports? They provide essential insights into your domain’s email authentication status and help you maintain a secure domain.

This post breaks it all down: What DMARC reports are, why they matter, and how to turn them into a powerful layer of your email security strategy.

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol that allows brands, organizations, and companies to protect their email domains against phishing and spoofing.

While reporting is an optional component of the DMARC specification, we strongly recommend implementing and utilizing DMARC reporting. DMARC emails, also known as DMARC report emails, provide extremely valuable data necessary to manage email authentication and domain protection against phishing and spoofing.

DMARC works hand in hand with email authentication protocols Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to help you monitor for full compliance with email authentication requirements.

What is a DMARC report?

Requesting DMARC reporting is something that a domain owner does when configuring their DMARC record. A DMARC record is a simple TXT record in DNS that begins by explaining what policy inbox providers should apply to unauthenticated email messages (none, quarantine, or reject), but also allows for additional, optional settings, including settings related to DMARC reporting. In the DMARC record, the domain owner includes a tag called “RUA” along with an email address meant to receive any DMARC reports that are sent by mailbox providers.

Many inbox providers, when evaluating inbound email messages, will look for this “RUA” tag in a domain’s DMARC record and know that the domain owner wishes to receive aggregate DMARC reports by the presence of this tag.

The reporting helps you track both legitimate and illegitimate email sources for your domain. With this reporting, you can see what sources and services are sending (or attempting to send) emails using your domain name. You can map out who’s trying to spoof your domain, what country they’re from, how much mail they seem to be trying to send, and what mail is being delivered.

These DMARC reports are sent via email by different inbox providers (like Google and Microsoft) and are specially formatted in Extensible Markup Language (XML) for easy handling by automated software.

These reports only come if:

• You’ve published a DMARC record in your DNS, and
• That record includes the RUA tag, specifying where to send reports

DMARC reports include:

• Sending IP address
• DKIM/SPF pass/fail results
• Number of messages sent
• Which domains or services sent them
• Whether they were aligned with your domain’s authentication policies

Why are you receiving these DMARC reports?

Short answer: Because you asked for them and because they’re incredibly useful.

Here’s what you can learn from them:

• Are legitimate services properly authenticating? DMARC reports show you if trusted services like Salesforce or Mailchimp are misconfigured.
• Is someone spoofing your domain? If an unknown IP is trying to send on your behalf, the report will show it.
• How effective is your enforcement policy? These reports help validate whether your p=quarantine or p=reject policy is working as intended.

Without this visibility, you’re flying blind. And that’s risky.

Why do I need to receive these DMARC email reports? 

So, do you need to receive DMARC report emails? The short answer is yes.

It’s important to receive and review the data provided by DMARC reports so that you don’t make decisions regarding email authentication and domain protection blindly. You don’t want to accidentally tell inbox providers to reject mail that you consider legitimate.

Reporting helps you identify legitimate email sources that might not have email authentication properly configured, as well as giving you insight into where the phishing and spoofing are originating from (and whether or not any phishing or spoofing of your email domain is taking place).

DMARC reports are only sent for a domain that has a DMARC record that indicates that feedback reporting is requested and specifies who should receive these DMARC email reports. The data includes information on emails seen by the receiver and where the From: address is the domain that contains the DMARC record, allowing you to review email activity for your domain.

What do these DMARC reports tell me? 

The DMARC aggregate reports differ from DMARC failure reports (which we don’t recommend) and contain no personal data or PII. The data in these reports is General Data Protection Regulation (GDPR) compliant. DMARC report emails primarily provide seemingly simple bits of information:

• Your domain name
• Date range
• Number of messages attempted to send
• IP of servers sending emails
• DNS name of the sending server
• DKIM key information
• Whether or not messages passed or failed SPF and DKIM email authentication checks

DMARC report emails also contain additional information, highlighting the DMARC settings for your domain when the report was generated.

If you haven’t received these DMARC email reports yet and want to see the status of your domain, use our free domain checker.

Analyze DMARC reports with Valimail

Want to actually see what your DMARC reports are saying without spending hours with XML reports?

Valimail Monitor gives you a clear view into who’s sending email on your behalf without a complicated setup or configuration. It’s 100% free and typically starts showing useful insights in under 24 hours.

With Monitor, you can:

• View your domain’s sending services in a user-friendly dashboard
• Identify authentication gaps and sources of spoofing
• Build a path toward enforcement confidently, based on real data

FAQs about receiving DMARC reports

The post Do I need to receive DMARC emails? Why they’re crucial first appeared on Valimail.

Great. Another cryptic email authentication error to decode.

This warning is your email system saying it went looking for your MTA-STS policy file and couldn’t find it anywhere. MTA-STS (Mail Transfer Agent Strict Transport Security) is the protocol that guarantees your incoming emails use encrypted TLS connections instead of being sent in plain text where anyone can read them.

When MTA-STS is working correctly, it forces sending email servers to establish secure, encrypted connections before delivering messages to your domain. When it’s missing or broken, those same servers might fall back to unencrypted connections, leaving your email communications vulnerable to interception.

The “policy is missing” error typically means there’s a disconnect somewhere between your DNS configuration and the actual policy file that other email servers need to access:

• Your DNS might be pointing to the wrong location
• Your web server might not be serving the file properly
• The policy file itself could have formatting issues

Don’t panic. This error is completely fixable once you know what to look for. We’ll walk you through the most common causes of missing MTA-STS policies and show you exactly how to diagnose and resolve each one.

What is MTA-STS policy?

MTA-STS (Mail Transfer Agent Strict Transport Security) is an email security protocol that forces incoming messages to your domain to use encrypted TLS connections. It’s basically HTTPS for email—it prevents your messages from being sent over insecure, unencrypted channels where they can be intercepted or tampered with.

The original SMTP protocol was built without security in mind. While the STARTTLS command was added later to enable encryption, it’s completely optional. Worse, it’s vulnerable to downgrade attacks where malicious actors can strip out the encryption request and force emails to be sent in plain text.

MTA-STS removes this vulnerability by creating a published policy that tells sending email servers, “you must use TLS encryption to deliver mail to this domain.” No exceptions, no fallbacks to unencrypted connections.

The policy itself is a simple text file that specifies which mail servers are authorized to receive email for your domain and what security requirements they must meet. It includes directives like which TLS version to use (1.2 or higher), which mail exchange servers are legitimate, and how long the policy should be cached.

For the policy to work, you need two components: 

1. A DNS TXT record that announces your domain supports MTA-STS
2. The actual policy file hosted on your web server where other email systems can retrieve it. 

When both pieces are in place and configured correctly, incoming emails to your domain get an extra layer of transport security that prevents eavesdropping and man-in-the-middle attacks.

The “MTA-STS policy is missing” error

The “MTA-STS policy is missing” error happens when an email server tries to retrieve your MTA-STS policy file and gets nothing back. It’s not finding a broken policy or a misconfigured one—it’s finding zero evidence that a policy exists at all.

Here’s how the discovery process is supposed to work: when an email server wants to send you a message, it first checks your DNS for an _mta-sts TXT record. If it finds one, it then tries to fetch your actual policy file from https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. If either of those steps fails completely, you get the “policy is missing” error.

This is different from other MTA-STS errors. A misconfigured policy might give you syntax errors or invalid directive warnings. A policy that’s present but has wrong settings might cause TLS connection failures. But “policy is missing” means the requesting server couldn’t even locate your policy file to begin evaluating it.

The impact varies depending on your policy mode. If you had your MTA-STS set to “enforce” mode before the policy went missing, sending servers that support MTA-STS will start rejecting emails to your domain entirely. If you were using “testing” mode, emails will still get delivered, but you’ll lose the transport security benefits and might see delivery warnings.

Unfortunately, this error can happen suddenly, even if MTA-STS was working fine before. A DNS change, web server reconfiguration, expired SSL certificate, or simple file permissions issue can make your policy file disappear from the perspective of external email servers (even though everything looks fine from your end).

Common causes of MTA-STS policy missing errors

Most errors come down to a handful of predictable problems. The good news is that once you know what breaks, fixing it becomes a lot easier:

• DNS record problems: Your _mta-sts DNS TXT record might be missing entirely, have syntax errors, or be pointing to the wrong policy version. Sometimes DNS changes take longer to propagate than expected, or the record gets accidentally deleted during other DNS updates. If external servers can’t find this record, they won’t even attempt to fetch your policy file.
• Subdomain configuration issues: The mta-sts subdomain (like mta-sts.yourdomain.com) needs to exist and resolve properly. If this subdomain isn’t set up in your DNS or is pointing to the wrong server, requests for your policy file will fail before they even reach your web server.
• Web server hosting problems: Your policy file needs to be accessible via HTTPS at the exact path /.well-known/mta-sts.txt. Web server misconfigurations, incorrect document root settings, or missing directory structures can make the file unreachable even if it exists on your server.
• SSL/TLS certificate failures: Since MTA-STS policy files must be served over HTTPS, any SSL certificate problems will prevent access. Expired certificates, incomplete certificate chains, or self-signed certificates that aren’t trusted will cause the policy fetch to fail.
• File location and permissions errors: The policy file might exist but be in the wrong location, have incorrect file permissions that prevent the web server from reading it, or be owned by the wrong user. These are especially common after server migrations or when different teams handle DNS and web hosting.
• Policy file syntax problems: Syntax errors in your MTA-STS policy file can cause some validators to report it as missing. Incorrect directives, wrong formatting, or encoding issues can make an otherwise accessible file unusable.

Step-by-step troubleshooting guide

The best way to fix MTA-STS policy issues is by working through the discovery process in the same order that external email servers do. Start from the DNS level and work your way down to the actual policy file:

1. Check your DNS TXT record for _mta-sts: Use a DNS lookup tool or command line to verify your _mta-sts record exists and has the right syntax. The record should look something like v=STSv1; id=20240101T000000; and be published at _mta-sts.yourdomain.com. If it’s missing or has syntax errors, external servers will never attempt to fetch your policy file.
2. Verify the mta-sts subdomain resolves: Test that mta-sts.yourdomain.com actually points to a working server. You can do this with a simple ping or by checking DNS resolution. If this subdomain doesn’t exist or points to the wrong IP address, policy file requests will fail before reaching your web server.
3. Test HTTPS access to your policy file: Try accessing https://mta-sts.yourdomain.com/.well-known/mta-sts.txt directly in your browser or with curl. You should get a successful HTTPS connection and see your policy file content. SSL certificate errors, 404 responses, or connection timeouts indicate hosting problems.
4. Validate policy file syntax and content: Once you can access the file, check that it follows proper MTA-STS syntax. Make sure it includes required directives like version: STSv1, mode: testing or mode: enforce, at least one mx: directive, and max_age:. Missing or malformed directives can make validators treat the policy as unusable.
5. Check web server configuration and permissions: Verify that your web server is configured to serve files from the .well-known directory and that file permissions allow the web server to read your policy file. Common issues include restrictive directory permissions or web server configurations that block access to dotfiles.
6. Verify certificate validity and chain: Use SSL testing tools to confirm your certificate is valid (not expired) and includes the complete certificate chain. Self-signed certificates or incomplete chains will prevent external servers from trusting your policy file, even if it’s otherwise accessible.

When to use testing vs enforce mode

Your MTA-STS policy mode determines what happens when email servers can’t establish secure connections to your domain. Getting this wrong can either leave you vulnerable or block legitimate emails entirely.

Start with testing mode when you’re first implementing MTA-STS or troubleshooting existing issues. In testing mode, emails still get delivered even if TLS connections fail, but you’ll receive TLS-RPT reports showing which senders had problems. This gives you visibility into potential issues without risking email delivery.

Use testing mode to identify problems like outdated certificates on your mail servers, senders that don’t support modern TLS versions, or configuration issues with your MX records. Monitor your TLS-RPT reports for several weeks to catch patterns and edge cases.

Switch to enforce mode only after you’ve confirmed that legitimate email traffic can consistently establish secure connections. In enforce mode, senders that can’t meet your TLS requirements will bounce emails back rather than delivering them insecurely.

Keep testing mode during major changes like mail server migrations, certificate renewals, or MX record updates. You can always temporarily switch back to testing if you need to troubleshoot new delivery issues without blocking emails.

Get your email transport security working (and keep it that way)

Troubleshooting MTA-STS policy errors doesn’t have to become a recurring nightmare. You’ve got the steps to fix what’s broken, but wouldn’t it be nice if this stuff just worked without you having to become a DNS and web server expert?

Strong email authentication starts with visibility. With Valimail Monitor and Enforce, you can easily publish your MTA-STS and TLS Reporting policies through the Valimail API and begin receiving MTA-STS TLS Reports, all without complex setup or manual monitoring.

Hosting of MTA-STS is available exclusively to Valimail Enforce users, but TLS Reporting is accessible to all Monitor and Enforce customers, allowing you to start improving your security posture today.

Gain the insights you need to strengthen your email infrastructure, detect potential delivery issues, and prepare for full enforcement with confidence.

The post MTA-STS policy missing? Here’s how to fix it first appeared on Valimail.

Here’s the good news: You only need three tags to get a fully functioning, secure DMARC record in place.

Let’s break it down without the jargon.

What are DMARC tags?

DMARC tags are the individual components within a DMARC record. Some are mandatory, while others are optional. Each tag defines a certain aspect of DMARC, such as how to handle email that isn’t authenticated or where to send DMARC aggregate reports.

The DMARC standard defines several DMARC tags that can be used in a DMARC record. Some of these tags are required, but most are optional, and several of the tag definitions can be a bit confusing.

In most cases, a well-formed DMARC record needs to include three tags, while the remaining tags can be ignored. Get these three tags right, and you’ll be able to take advantage of the visibility, control, and anti-phishing benefits that DMARC has to offer:

• V – version tag
• P – policy tag
• RUA – reporting tag

Components of a DMARC TXT record

1. v – version tag

First, every DMARC TXT record needs to begin with the mandatory v or version tag and the corresponding value of “DMARC1.” It’s the presence of this tag that lets receivers know that this DNS TXT record defines a DMARC policy and should be parsed appropriately.

2. p – policy tag

The second tag in a valid DMARC record must be the “p” or policy tag. The “p” tag allows the sending domain to define how a receiver should treat messages purporting to be from this domain (and its subdomains) that fail authentication. It can take one of three values:

• p=none: The sending domain is in test mode. An email that fails authentication will be reported, but no additional action will be taken. This is a good place to start, but domains at p=none get very few of the benefits of DMARC.
• p=quarantine: Receivers are asked to quarantine messages that fail authentication. Typically, the message is marked as spam.
• p=reject: Receivers are asked not to deliver failing messages to the recipient at all. Some receivers honor this request, while other receivers just mark failing messages as spam.

3. rua

The only other value that generally needs to be included in every DMARC record is the rua tag. The rua tag contains a comma-separated list of mail-to URLs that define where receivers should send aggregate reports.

Aggregate reports are the method receivers use to give feedback to domain owners on the messages they’re seeing that claim to be from the domain. These reports are zipped XML documents containing aggregated information on the source IP addresses and authentication status for all the messages in a given period (typically a day).

When properly analyzed by a service like Valimail, these reports can provide the domain owner with a comprehensive view of which servers and third-party services are sending messages on the domain owner’s behalf, as well as any potential abuse of the domain by phishers.

Without aggregate reports, you’re flying blind. Moving to a p=quarantine or p=reject policy becomes very unsafe because legitimate email may be unknowingly blocked. While including a rua tag is not mandatory from a specification perspective, we recommend including it consistently.

Sample DMARC records with tags

For most DMARC records, these values are all you need. A typical TXT record might look like this, where the email address in the rua is replaced with the reporting address for your domain:

Curious what your DMARC policy looks like and what tags you've used? Use Valimail's free domain checker to discover your tags:

Optional DMARC tags

There are more than three DMARC tags, but those are the only three that are absolutely required to set up your DMARC policy. However, there are other DMARC tags that are optional. You don’t need to include all of these to benefit from DMARC. In fact, using too many too early can create confusion or misconfiguration. While you don’t need to use them, they may be helpful in some instances:

For most organizations, the required tags (v, p, and rua) are all you need to:

• Start receiving feedback
• Monitor your domain’s mail streams
• Begin your journey toward full DMARC enforcement

Advanced tags like aspf, pct, or sp are useful in more complex deployments, but they’re not necessary for a standard DMARC rollout.

If you’re unsure what to include, keeping it simple is the best path, and Valimail can help you automate and manage this without the guesswork.

Easily manage your DMARC tags

Make DMARC simple and safe to enforce.

Valimail simplifies email authentication. Our platform analyzes your DMARC reports, identifies trusted senders, and guides you step by step toward full enforcement with no broken email, no guesswork.

Start by signing up for Valimail Monitor and get free visibility and more management of your DMARC tags.

Frequently asked questions about DMARC tags

The post DMARC tags: The only 3 tags you really need (rua, p, and v) first appeared on Valimail.