How Do You Configure Third-Party Vendors to Be DMARC Compliant?

The most common mistake we see during DMARC setup is jumping straight to p=reject without monitoring first, says Vasile Diaconu, Operations Lead at DuoCircle. Start at p=none, analyze your reports for at least a full quarter - you need to catch monthly, quarterly, and annual email senders that only fire periodically. Then fix any legitimate senders that fail before enforcing. We walk every customer through this sequence.

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report

How Do You Configure Third-Party Vendors to Be DMARC Compliant?

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-11156">
						<source src="https://media.mailhop.org/dmarcreport/images/2024/02/How-Do-You-Configure-Third-Party-Vendors-to-Be-DMARC-Compliant.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H1M50S">1:50</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-11156" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-11156" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-11156" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-11156" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/how-do-you-configure-third-party-vendors-to-be-dmarc-compliant/&t=How Do You Configure Third-Party Vendors to Be DMARC Compliant?" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/how-do-you-configure-third-party-vendors-to-be-dmarc-compliant/&url=How Do You Configure Third-Party Vendors to Be DMARC Compliant?" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2024/02/How-Do-You-Configure-Third-Party-Vendors-to-Be-DMARC-Compliant.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/how-do-you-configure-third-party-vendors-to-be-dmarc-compliant/" class="input-link input-link-11156" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-11156" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="Z7JtxyDOnT"><a href="https://dmarcreport.com/blog/podcast/how-do-you-configure-third-party-vendors-to-be-dmarc-compliant/">How Do You Configure Third-Party Vendors to Be DMARC Compliant?</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/how-do-you-configure-third-party-vendors-to-be-dmarc-compliant/embed/#?secret=Z7JtxyDOnT" width="500" height="350" title=""How Do You Configure Third-Party Vendors to Be DMARC Compliant?" - DMARC Report" data-secret="Z7JtxyDOnT" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-11156” readonly/>

					<button class="copy-embed copy-embed-11156" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

According to the How Businesses Hire Agencies Study by Semrush, nearly 94% of businesses outsource some or all of their marketing activities, including sending emails on their behalf. With such outsourcing comes the risk of opening up **new gateways for malicious actors to access, intercept, and exploit your technical and non-technical resources.

So, deploying SPF, DKIM, and DMARC is important to **protect your domains against phishing and spoofing attacks. To practice this, you need to authorize all in-house as well as third-party vendors’ email-sending sources so that recipients’ servers don’t flag legitimate emails sent using them.

How to Make Third-party Vendors DMARC Compliant?

You need to understand that each business (your third-party vendors) works differently and may have a different approach towards email authentication and security. So, the first step is to **find a middle ground that is accustomed to the ideas and strategies of both parties.

Here’s what you may do next-

• **Set up a custom domain for each of the outsourced parties so that they manage SPF and DKIM operations. However, if you mutually agree to use the third-party vendor’s domain to send emails on your behalf, then ask the vendor to publish their SPF and DKIM records in the DNS of your subdomain . In this case, if you don’t set up a distinct DMARC policy for this delegated subdomain, the DMARC policy of your primary domain will be automatically applied to the subdomain.

• The third-party vendor also has the option to use your email servers to send emails on your behalf. This automatically ensures **compliance with DMARC policies for outgoing emails if you have one configured for your domain. Ensure that your SPF and DKIM records are updated to include these third parties, confirming their authorization as legitimate sending sources.

How Do You Configure SPF, DKIM, and DMARC Records to Authorize External Vendors’ Emails?

To authorize third-party vendors, you have to update your SPF record with their sending sources or create a new one. You can add their sending sources using the ‘include:’ tag or **enlist the specific IP addresses they use for sending emails on your behalf. Using the latter option is recommended as the former allows more people to send emails, which is again a vulnerability.

Subsequently, it’s essential to ask your vendor to **create a DKIM key pair for your personalized domain. They will utilize the private key to **sign the emails they send on your behalf, and you must publish the corresponding public key on your publicly accessible DNS. During verification, your recipients match the private key against the public key in your DNS.

Different external vendors have different preferences and email authentication setups. So, if you feel swamped with changes and configurations, you can always reach out to us. We primarily help in DMARC reporting and monitoring so that you get insights into your domain’s email activities that further help in managing SPF, DKIM, and DMARC records and shifting DMARC policies as and when required.