Re: Valimail Enforce

[John McCabe <0000009ba94df455-dmarc-request () LISTSERV EDUCAUSE EDU>]

Hi Razi,

I'm unfamiliar with Valimail Enforce's exact featureset. My guess is that
it is labeling vendors sending as your domain as phishing or spoofing
attacks. What I have to report is more commiseration than inspiration.

My heuristic process...

 0) use Dmarcian's DMARC operation resource center (https://dmarc.io/) to
save yourself vendor tech support runaround time
 1) request the vendor use DKIM
 2) minimize the risk of adding vendors to SPF by not doing so
 3) do not even consider managing a relay server for unencrypted +
unauthenticated emails
 3) request the vendor to send email as their own domain and separately
notify your users
 4) force the vendor to send email as a subdomain and if necessary with a
report-only DMARC record
 5) try not think about all the vendors that have SPF records with > 10 DNS
lookups, SPF records that include DNS lookups that do not exist, who had
valid SPF records but update them to be broken, create DKIM selector names
such as "example," refuse to create multiple DKIM keys at a time, do not
know their own outgoing email infrastructure, have invalid DMARC records,
etc. once you've reported this to them.

In security vulnerability circles, full disclosure was found to be the
solution for companies that refused to change behavior. Not sure if our
community is willing to go that route on this front.

Regards,
John



On Fri, Mar 26, 2021 at 11:12 AM Razi Ahmad <razi.ahmad1 () gmail com> wrote:

> Hi everyone,
>
> Is anyone using Valimail Enforce (or something similar) and, if so, how do
> you manage messages sent from non-DMARC complaint domains?
>
> Thanks,
>
> *Razi Ahmad*
> Director, IT Infrastructure Services
> NYU Stern School of Business
> 14 East 4th Street, Room 327, New York, NY 10012
> Phone: 212-998-0172
> Twitter: @NYUStern
> <https://twitter.com/NYUStern?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>
>
> *CHANGE**. **DRIVE IT.*
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
*John McCabe *

*Senior Information Security Manager & Data Protection OfficerInformation
Technology Services*
[image: Manhattan College Logo/Shield]
Riverdale, NY 10471
Phone: 718-862-6217
john.mccabe01 () manhattan edu
www.manhattan.edu

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community