How Do You Configure Third-Party Vendors to Be DMARC Compliant?

DMARC Report
DMARC Report
How Do You Configure Third-Party Vendors to Be DMARC Compliant?

According to the How Businesses Hire Agencies Study by Semrush, nearly 94% of businesses outsource some or all of their marketing activities, including sending emails on their behalf. With such outsourcing comes the risk of opening up new gateways for malicious actors to access, intercept, and exploit your technical and non-technical resources

So, deploying SPF, DKIM, and DMARC is important to protect your domains against phishing and spoofing attacks. To practice this, you need to authorize all in-house as well as third-party vendors’ email-sending sources so that recipients’ servers don’t flag legitimate emails sent using them.  

Image sourced from

How to Make Third-party Vendors DMARC Compliant?

You need to understand that each business (your third-party vendors) works differently and may have a different approach towards email authentication and security. So, the first step is to find a middle ground that is accustomed to the ideas and strategies of both parties.  

Here’s what you may do next-

  • Set up a custom domain for each of the outsourced parties so that they manage SPF and DKIM operations. However, if you mutually agree to use the third-party vendor’s domain to send emails on your behalf, then ask the vendor to publish their SPF and DKIM records in the DNS of your subdomain. In this case, if you don’t set up a distinct DMARC policy for this delegated subdomain, the DMARC policy of your primary domain will be automatically applied to the subdomain.
  • The third-party vendor also has the option to use your email servers to send emails on your behalf. This automatically ensures compliance with DMARC policies for outgoing emails if you have one configured for your domain. Ensure that your SPF and DKIM records are updated to include these third parties, confirming their authorization as legitimate sending sources.

Configuring SPF, DKIM, and DMARC Records to Authorize External Vendors’ Emails

To authorize third-party vendors, you have to update your SPF record with their sending sources or create a new one. You can add their sending sources using the ‘include:’ tag or enlist the specific IP addresses they use for sending emails on your behalf. Using the latter option is recommended as the former allows more people to send emails, which is again a vulnerability.

Subsequently, it’s essential to ask your vendor to create a DKIM key pair for your personalized domain. They will utilize the private key to sign the emails they send on your behalf, and you must publish the corresponding public key on your publicly accessible DNS. During verification, your recipients match the private key against the public key in your DNS.

Different external vendors have different preferences and email authentication setups. So, if you feel swamped with changes and configurations, you can always reach out to us. We primarily help in DMARC reporting and monitoring so that you get insights into your domain’s email activities that further help in managing SPF, DKIM, and DMARC records and shifting DMARC policies as and when required.

Similar Posts