In our recent webinar, How to Mature from Reactive to Proactive Email Security Posture, we teamed up with the Authentic Web experts to uncover the hidden risks that leave organizations vulnerable when left undetected and unmanaged. We explored the importance of shifting from a reactive approach to a proactive cybersecurity strategy, focusing on DNS and email security best practices.
This session was packed with insightful discussions on email security, DNS vulnerabilities, and proactive cybersecurity strategies. Throughout the session, we received many great questions about DMARC implementation, best practices, and security challenges.
To ensure everyone gets the answers they need, we’ve compiled some of the most important technical questions from the webinar, along with expert responses from our team. Let’s dive in!
Q&A from the Webinar
What’s the best way to handle subdomains with DMARC?
The simplest approach is to use a single DMARC record at the root domain with p= tag that applies to all subdomains. This ensures uniform enforcement without excessive management overhead. However, organizations with complex global infrastructures may require explicit records on specific subdomains for better control.
How often should we rotate DKIM keys?
Rotating DKIM keys every six months is a recommended best practice. Additionally, using DKIM records with key lengths of at least 2048 bits is a good practice.
Is it possible to know all the IP addresses related to a single ‘include’ in SPF?
Yes! Using an SPF lookup tool, such as EasyDMARC’s SPF checker, allows you to expand and analyze all the IP addresses associated with a specific include mechanism.
Should I set my DMARC policy to reject, quarantine, or none?
Always begin with a monitoring policy (p=none). This allows you to analyze DMARC reports and ensure all legitimate email sources are correctly authenticated. Once all sources are verified, gradually move to p=quarantine and then to p=reject, with at least a two-week interval at each stage. The ultimate goal should always be p=reject to fully protect your domain from spoofing attacks.
Can EasyDMARC help analyze our email domains and subdomains so I can present findings to my IT Director?
Yes! EasyDMARC provides a trial that generates detailed reports on your domain and subdomains, highlighting misconfigurations and security gaps. These reports can be exported and shared with upper management to drive informed decision-making.
How long should I monitor my reports before moving to p=reject?
The ideal timeframe is two weeks to a month before progressing to the next policy level. This period ensures that all legitimate email sources are accounted for, minimizing disruptions while strengthening security.
Final Thoughts
A proactive approach to cybersecurity is essential in today’s evolving threat landscape. By addressing common questions and concerns, organizations can move toward a secure email infrastructure with confidence.
If you missed the webinar or want to revisit key insights, check out the Recording here. Stay tuned for more educational sessions and expert guidance on email security!
We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.
You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us