Valimail Enforce™
User Guide
Copyright © 2019 Valimail
A DMARC fail means that the From address that the user sees does not align with a domain that passed either SPF or DKIM authentication. In this way, DMARC prevents fraudulent emails from being delivered to the user's inbox.
A DKIM fail means it can't be confirmed that the claimed sender of an email (as identified in the DKIM email header) actually created the email, or that the email was not changed in transit.
An SPF fail means that the machine that sent an email is not allowed to send emails for the sending domain (the domain identified by the hidden Return-Path address).
Number or percentage of emails that pass DMARC authentication and are assigned a result of “success.”
Number or percentage of emails that fail DMARC authentication and are assigned a result of “quarantine.” The result is determined based on the DMARC policy setting (p=quarantine
).
Number or percentage of emails that fail DMARC authentication and are assigned a result of “reject.” The result is determined based on the DMARC policy setting (p=reject
).
A feature available on the Valimail website that checks the SPF, DKIM, and DMARC DNS records for a domain name that you enter. It then analyses the validity and function of the records and generates a report.
This graph on the Home tab shows how email messages were handled (delivered, quarantined, rejected). This is associated with the DMARC Policy that is set by the sending domain.
Any domain registered in the Valimail system. An account may have multiple registered domains.
A registered domain is considered to be in enforcement when any unauthenticated email from that domain is rejected or quarantined. However, it is possible that there are records defined on subdomains that mean the organizational domain is not actually at enforcement.
An internal sender is a system is that is owned by the customer. It could also be a dedicated line the customer has leased for a third party to use, such as a marketing cloud system. If the system is configured to send email using the customer’s domain name, then it needs to added as a netblock to the customer account. This can happen in two ways:
The sender appears as an unidentified service. After confirming that the service is allowed by the customer, the IP address of the service is added as a netblock.
The sender is using a DKIM key that is known to Valimail. After confirming that the service is allowed by the customer, the DKIM key is imported to Valimail, but is not associated with a third party. That makes it an internal sender.
The sending status of a registered domain is one of the following.
Active: Emails can be sent from this domain, and they are authenticated by Valimail. Valimail returns DMARC, DKIM and SPF records.
Blocked: Emails from the domain are blocked, meaning they are rejected by the receiver. Valimail returns DMARC and SPF records. Valimail returns DMARC records with "p = none", and returns empty SPF records.
Disabled: Authentication is disabled for the domain and its subdomains. However, DMARC reports continue to be received and processed by Valimail. Valimail returns DMARC and SPF records. Valimail returns DMARC records with "p = reject", and returns empty SPF records.
Email that lacks several features needed for authentication.
A DMARC policy can be set to None, Quarantine, or Reject. The policy determines what action should be carried out by the email receiver in the event the email does not authenticate.
Failure reports are one type of report that can be output by DMARC authentication mechanisms. Generally they are not provided by email receivers because they may reveal personally identifiable information (PII).
DMARC aggregate reports, categorized by domain, are sent regularly by email receivers to an email address specified by the respective domain.
A third-party service that is allowed to send email for a customer domain. Valimail will authorize emails from enabled senders.
A contiguous range of IPv4 or IPv6 addresses. It has a starting IP address, followed by some number of IP addresses, and an ending IP address. In SPF records, netblocks are typically used to define sets of IP addresses that are permitted to send email for a domain.
SPF mechanisms can be entered directly into the Valimail system. This feature is used for certain custom configurations.
In an email domain, netblocks can be assigned to cover the IP addresses of allowed senders. If a netblock is assigned to a third-party sender, that third-party sender can be selected from the drop-down menu.
If a subdomain of a registered domain is used for only one email sender, this switch can be turned on to improve the classification of email by the Valimail system.
DKIM uses PKI (Public Key Infrastructure) for authentication. PKI uses a private key to encrypt a message, and a public key to decrypt it. The email sender has the private key, which it keeps secret, and the public key is placed in DNS so that it can be retrieved by all email receivers in order to authenticate received emails. DKIM keys can be used by the Valimail system to authenticate email messages.
The selector is used to choose a specific DKIM public key that is stored in DNS for a given domain. Domains can have multiple DKIM keys available for use.
Valimail can send reports about system performance or other metrics to email recipients who are not registered in the Valimail system.
If the domain on which SPF authentication succeeds shares an organizational domain with the domain shown in the visible From header of the email, then SPF alignment exists. This is one criteria that can be used for DMARC authentication.
If the domain on which DKIM authentication succeeds shares an organizational domain with the domain shown in the visible From header of the email, then DKIM alignment exists. This is one criteria that can be used for DMARC authentication.
Company that forwards email on behalf of another company or person.
A type of attack where the attacker uses emails, which impersonate emails from legitimate senders or companies, to induce the receiver to click on links to fraudulent websites, reveal personal or private information, or carry out incorrect instructions such as transferring money from company accounts.
A receiver can be configured to ignore the DMARC policy specified by the sender, and handle the email in a way determined by the receiver.