Brand Protection

    Making Sure Your Third-Party Email Services use DMARC

    Third-party email services help businesses conduct essential communications. They may also open the door for malicious email impersonation attempts.

    by Megan Doyle

    Key Points

    • Many organizations use valuable third-party services to regularly communicate with customers, prospects, clients, suppliers, and more.
    • However, these services may also expose your company to malicious phishing emails that impersonate your brand in order to trick unsuspecting users.
    • Integrating DMARC policies with all your third parties can help you protect your brand and your customers by stopping malicious domain spoofing impersonation attempts.


    If you have a business, there’s a good chance you’re using at least one third-party service to send email on your behalf. But do they have a DMARC record in place? If not, they may be exposing your company to malicious impersonation attempts.

    Whether it’s for marketing, customer relationship management, price quotes, invoicing, or helpdesk services, these third parties can make it far easier to communicate with customers, partners, prospects, and suppliers. But they can also make it harder to protect your brand. The more third parties a company uses, the more chances cybercriminals have to spoof the company’s email domains and send malicious emails that can wreak havoc on email recipients.

    DMARC is an email security protocol that can help put a halt to email domain spoofing. But to make it fully effective, a company must work closely with every one of its third parties to ensure all emails comply with the company’s DMARC policy. The benefits are three-fold: companies can better protect themselves, they can protect their stakeholders, and third parties can extend their DMARC understanding to other companies. Making sure your third-party email service uses DMARC is one small step toward protecting the entire internet community from cyberthreats.

    Deploying DMARC Across All Domains Is a Challenge

    DMARC builds on two previously existing email security protocols: SPF and DKIM. In order for your business to fully enforce DMARC, you should first have both SPF and DKIM set up. SPF records allow a domain owner to specify which host names and/or IP addresses are allowed to send emails on behalf of the domain. DKIM lets domain owners apply a secure digital signature to each of those emails. DMARC allows you to set policies that rely on DKIM and SPF to tell email recipients’ servers what to do when they receive fake emails that spoof your domain: report them but otherwise do nothing (a “none” policy), move them to a spam folder (“quarantine”), or reject them altogether (“reject”).[1]

    It’s vital to figure out exactly how many domains your organization has, and which domains are legitimately sending email on your behalf—including third parties. It’s not wise to skimp here: organizations often have domains they don’t know about. Depending on the size of your business, you could be using hundreds of domains that must be correctly set up for DMARC compliance. “It’s often the marketing group that sets up new domains,” says Dirk Jan Koekkoek, VP, DMARC, Mimecast. “It could be an intern who registered a domain with good intentions and signed up for a low budget vendor.” In some cases, the new domain ultimately may not be managed by the intern or the marketing team—and meanwhile, the rest of the business is unaware the domain exists.

    Once all domains are accounted for, the next step is generally to set your DMARC policy to “none,” which allows you to discover exactly who is sending email on behalf of all your domains, whether legitimate or illegitimate. Again, it’s important to be meticulous. Eventually, you may be able to set your DMARC policy to “reject,” so that all domain-spoofing emails are rejected before they reach recipients. But if you try to do that too soon, you risk blacklisting authentic emails.

    Once you have a good understanding of who’s sending emails on your behalf, it’s time to work together with all third parties to enforce DMARC across the board.

    Companies and Their Third Parties Must Work Together to Establish Strong DMARC Policies

    Contact your third parties to learn the options for sending DMARC compliant email via their software solutions. Some third parties offer guidelines to help work together to establish integrated DMARC policies, but many do not. If they’re unfamiliar with DMARC—or concerned about the complexity—explain the importance of the protocol and how it works.

    It can be challenging and time consuming to integrate all third parties with your DMARC policy, especially if multiple companies send email on your behalf. What’s more, each third party’s email system may not be set up in the same way, meaning the path to DMARC compliance will likely differ depending on the third party—and your organization’s needs.

    How to Get Third Parties to Send DMARC Compliant Emails

    The process will depend on which email systems are used by business’s and your third parties[2], but here are a few ways organizations commonly enforce DMARC policy compliance with their third-party senders:

    Your company provides the third party with a separate subdomain. Establishing a subdomain lets a third party put their own DKIM and SPF records into the subdomain’s DNS record.[3],[4] By default, your DMARC record then applies to all subdomains, while the third party is free to manage its own DKIM and SPF records. But there’s also a bit of customizability: you can create a separate “subdomain policy” that’s distinct from your organization’s core DMARC policy.

    Third party sends mail through your company’s network. The third party sends emails on behalf of your company through your own mail servers. This lets the third party use your SPF, DKIM, and DMARC record.[5] But you must be sure that your SPF record takes into account third-party senders, and that your DKIM record allows the third party, too.

    You don’t integrate your DMARC policies, but you don’t let the third parties spoof. Instead of integrating your DMARC policies, you can ask your third party to use their own domains in the FROM: header of an email. If emails they send on your behalf need a reply, they can either direct replies to your company’s domain, or set the REPLY-TO: header to one of your company’s email addresses.[6] However, it’s a good idea for third parties to ensure they have their own DMARC policy in place to prevent their own domains from being spoofed.

    Whatever method your company and your third parties agree on, it’s important to thoroughly test that all emails go through as they should.[7] Don’t be afraid to roll out DMARC policy compliance slowly. Stick to a “none” policy while you and your third parties gather data and make sure everything works as it should, before progressing to a “quarantine” or strict “reject” policy. Then, whenever you add a new third-party sender, make sure they become DMARC compliant. 


    The Bottom Line

    Third-party email senders can be vital points of contact between an organization and its stakeholders, but they also open up opportunities for malicious email spoofing attempts. Integrating DMARC across your business and all third parties is a necessary step to protect your brand and help stop cybercriminals before they can trick unsuspecting email recipients.


    [1]About DMARC,” Google

    [2]Use DKIM to validate outbound email sent from your custom domain,” Microsoft

    [3]Best Practice for Email Authentication - Optimal Ways to Deploy SPF, DKIM and DMARC ,” Cisco

    [4]Frequently Asked Questions,“

    [5] Ibid.

    [6] Ibid.

    [7] Ibid.


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top