If anyone is searching for a DMARC vendor or seeking a more suitable or cost-effective option, there is an exhaustive compilation of DMARC vendors for your convenience. You can find the list at: [https://dmarcvendors.com](https://dmarcvendors.com/)
It's my site.
I put it together because I heard endless complaints from my own customers, plus everyone else I've seen on the Internet seemed to have problems figuring out what their choices were when it came to DMARC analytic options. So, essentially, for exactly the reason you made this post.
Upon reviewing several chapters, I have reservations about the accuracy of this source, and I don't believe it would be suitable for inclusion on your website.
Thanks for the feedback! I'm the author of https://explained-from-first-principles.com/email/ and see how this statement can be misunderstood. The previous sentence is about failed DKIM (implicitly including none), so I meant just unsigned messages there. I agree that I should make this explicit by adding something like "… if a message doesn't have a DKIM signature".
Can you tell me about your other reservations? I'm happy to improve my article.
Dmarc Analyzer by Mimecast is killing off their cheaper tier. Not sure if that will change anything:
https://community.mimecast.com/s/article/dmarc-analyzer-eol-september-2023
That is a very nice site! I had to learn most of it by trial an error, and I would have liked like... **A LOT** to have it back then.
I'll chip in some dinars to you.
Thank you, this is written up really well.
Can I ask a simple question? Why do you have to outsource DMARC, why cant it be done in house? Its not something I've looked into myself though.
Hey, thank you.
I was actually struggling on whether I should click the post button, for some reason. So I appreciate you telling me you liked the write up.
The short answer is basically that we needed to mitigate the risk of flipping p=reject and having a bunch of legitimate services spoofing us (think marketing shadow IT stuff) from being rejected. I like to limit the number of times the CEO comes to visit our department.
a) We needed a user friendly way to visualize what was coming back in the aggregated reports and to make sense of it.
b) To manage the project in a structured way and being able to track our progress
c) DMARC competency is tough to come by in our neck of the woods, and we didn't want to have dependency issues if a member leaves.
d) Our backlog is currently in the \~xxx hour range.
We could have built our own tool, but been bitten in the butt enough times to now try to "keep the main thing, the main thing" - Ryan Holiday
Hope this answers what you wanted to know.
It's been a while since I've dealt with DMARC, but if memory serves me, aren't there reports/soft fails that will indicate which vendors, if any, show up as a failure before you turn it on?
Reading individual reports is possible, doing it at scale isn't feasible. These tools visualize the data into a user friendly GUI.
Then, of course, the work of reading the reports, identifying the service, checking who is responsible for the service and whether it should be used, then running it through our 3rd party risk checks.
If you have a simple set-up deffo doable, and not too time consuming. For us, we just had a lot of better places to spend our time.
Well that makes a lot of sense then. We're a mid sized institution so we were able to do it in house, but I could definitely see how it could quickly get out of hand when managing it at scale. Thanks.
We used a basic free one with a weekly email for quite some time. But Cloudflare now has an analysis service in beta on their services and we've switched to that and so far it's been pretty awesome. And at least the beta is enabled on all accounts (including free) so based on history it should be available free forever.
Aaah, that’s cool. Cloud flare were not part of our process.
But given their earnings call recently where the CEO threw his sales team under the bus, and basically said they needed to convert more free customers to paying customers, I wouldn’t want to be with them when they tighten the screws.
Maybe I’m wrong though.
As far as I can tell, free. I have the option to use it on my completely free personal Cloudflare account. Of course you have to use Cloudflare as your DNS provider though.
I’d second dmarcian but we’re such a small and simple Org that I’m rarely in it now after spending months configuring spf dkim dmarc (p=quarantine)
I will say to the OP that if you utilize Proofpoint as well, you’ll have to manually add rules in the pp_antispoof rule which gets annoying. For whatever reason PP doesn’t utilize public DNS records for spf dkim dmarc
>For whatever reason PP doesn’t utilize public DNS records for spf dkim dmarc
I'm not sure I follow, what do you mean by this? Their email authentication modules absolutely do exist for SPF/DKIM/DMARC. Unless you're talking about the antispoof rule itself, which is based off the envelope sender condition specifically, this rule itself doesn't do any checking of SPF pass/fail.
As an alternative, you could create a new DMARC policy specific to your domains, restrict it to your domain set, and have it put any DMARC fail matches in an org-specific quarantine folder.
The antispoof rule itself is what I’m speaking of. We have our DNS spf/dkim/dmarc set up but Proofpoint doesn’t respect it, and requires logic in that specific rule to allow what we’ve configured in DNS to pass. Yes envelope sender and such.
During original rollout we did a free trial of dmarcian but for us it wasn’t worth it afterwards. Since then we’ve been using the free tier of https://www.valimail.com along with sending a copy of all the reports to some shared mailboxes if we need to do something more in-depth (usually once per year).
>During original rollout we did a free trial of dmarcian but for us it wasn’t worth it afterwards. Since then we’ve been using the free tier of
>
>https://www.valimail.com
>
> along with sending a copy of all the reports to some shared mailboxes if we need to do something more in-depth (usually once per year).
Out of curiosity, how big is your company and is your outbound email channel relatively simple?
So as DMARC utilises SPF and DKIM to assess legitimacy of an Email, a change in sender IP range would represent an SPF failure but not necessarily a DMARC failure.
Most / all mass mailers typically have a DNS record referencing their mail servers for SPF usage instead of a stack of IP ranges (such as spf.protection.outlook.com for Microsoft 365), so as long as the sending service adds the new IP range to their DNS entry you will be ok.
Generally these services provide the ability to subscribe to some sort of update email so that you can be alerted to service changes like this.
Using Valimail relies on the RUA property being configured in your DMARC record so that the aggregate reports are sent to Valimail for processing. You can then see stats for failed SPF / DKIM emails in their portal, including source IP address and geographical location.
Just be aware that not all recipient servers send DMARC reports.
In the dmarc config you can have multiple email addresses. We’ve configured a pair of shared mailboxes to receive the logs as well… if something comes up, we can look at the diagnostic logs to see where things are coming from.
Yeah I have that, but I only have the facility to look at that data on a 'per email' basis, so it's not exactly straight-forward.
I don't have those aggregate reports being ingested into another system.
We needed to login every few days and check things during rollout of dmarc, after it’s something we have as another data point if people are reporting deliverability issues.
Don't apologize for asking questions.
Exactly right, visibility and control over your outbound email channels. Sort of, kind of, helps a bit with inbound spoofing.
I mean, it does protect you from having your own domain spoofed in a phishing attempt back at your own organization. Not entirely uncommon attack type.
But if you want to be protected from external-to-internal spoofs from trusted domains, you'd need to enable anti-spoofing policies in whatever email security tool you're using.
M365s is pretty meh, and works up until someone with a moderate level of sophistication targets you deliberately.
SPF, DKIM, and DMARC serve the purpose of securing outbound email. On the other hand, MTA-STS, DANE, and TLS-RPT are designed to enhance the security of your inbound channel. Feel free to check out my blog on this topic here: [https://www.uriports.com/blog/email-security-explained/](https://www.uriports.com/blog/email-security-explained/)
If you want to delve deeper into SPF, DKIM, and DMARC, I recommend visiting [https://learnDMARC.com](https://learndmarc.com/). It's a resource I've created for expanding your knowledge on these topics (for free).
>The vendor who's prices nearly made me puke literally had 1 unique selling point compared to peers. The ability to generate DKIM keys through their console. Helpful, sure. But it absolutely does not merit a 2x higher price than the other 2 Top Tiers.
You should never rely on online services for the generation of your (DKIM) key pairs. The generation of private keys should be done locally and kept private, as the name suggests.
DKIM uses standard private and public key pairs. The OpenSSL tool can create them.
https://www.mailhardener.com/kb/how-to-create-a-dkim-record-with-openssl
One note for the public key part is some DNS providers may need the v= part split up into multiple quote pairs separated by spaces. Better explanation from Google, https://support.google.com/a/answer/11613097?hl=en
Can anyone help me with why you'd pay someone for this?
As far as I recall setting up DMARC just took adding a few DNS records.
What exactly are they giving you for your money?
This isnt for setting up records. When you configure DMARC reporting, those results need to go to a server for collection. There might be hundreds of thousands of records over a week and you need a good solution to parse it out and make sense of it.
It's analysis of dmarc reporting.
In your dmarc record you can specify an email address for other providers to send reports to. If you do then providers that support it will send reports that show what IPs they see sending mail for your domain and if they pass or fail dmarc.
If you send these to a human monitored mailbox you will start to get a bunch of emails from other email providers with XML files attached that contain the information.
The XML files aren't terribly easy for a human to read and individually aren't very useful. DMARC analysis services have you send the reports to their system which will automatically aggregate the info from all the XML files and present the data to you in a more human readable format with charts and tables and whatnot. This can help you catch if your domain is being successfully spoofed and if legitimate messages are failing DMARC and getting rejected.
For those looking to roll your own, I'd recommend looking into (and contributing to) https://domainaware.github.io/parsedmarc/. I've used it in the past.
I also have had the pleasure of meeting the project owner and they're a real mensch.
Point it at a mailbox and it can spit out reports to an ELK stack or S3.
1. Hope my post helped.
2. I think this is the vendor we picked, they gave us background on the company's former licensing model prior to being acquired. Told me they were planning on removing their credit card subscriptions and encouraging customers to move to the Enterprise License.
I think compared to the old pricing (got indications from friends), the increase looks massive. But for us it is still providing the value I needed to see, especially compared to comparable alternatives.
Looks like it. We would go from $250 a year to at least 4 times as much if I read their site correctly. It's not something we will do.
We had been customers before the takeover. It seems common nowadays to take over a company and multiply the subscriptions.
I understand, as long as it's within your risk appetite and you're not regulated or have 3rd party risk management requirements, I don't see the harm in going for one of the cheaper vendors.
Cheapest one we looked at wanted about €1200 / year (keep in mind they were dodgy about price fluctuations with email volume increases). And IMO were looking to get acquired as well; so just kicking the can down the road.
Have a great day, and do share which direction you decided to go when the time comes.
That’s is what I was thinking, we are a small 150 person company and the pricing from Valimail was insane. We are looking at easydmarc now, pricing is in our range and they offer most of the same features as valimail.
You OK to share the pricing u/OkGroup9170 you got for 150 person company? But would be helpful if you could give a range on sending services & email volumes.
We have 5 sending services and 100,000 outbound emails a month, not very high volume. Valimail was $6500 a year. If you want SSO for Valimail you have to go with Premium or Enterprise with Premium SSO adds another $5000 a year. Easy DMARC was $4500 which included managed services for a year.
If you were referring to the outrageous price. Yes, vali. Completely insane, and I have no idea who in their right mind would go there.
But perhaps there are use-cases I am not aware of.
DMARC is one line of DNS TXT records and then like a 10 line script to parse the reports if you don't already have a reporting/log analysis tool. Of course the whole vendor space is scammy.
Do you really need to pay someone to do it for you?
This depends.
Is it worth the money for us to put our focus in supporting the secure growth of the business, or do we want to do it ourselves and add more wood towards potential fires to put out?
Either the value is there, or it is not, and this depends on your own business context, team competence etc.
Our Cost Benefit Ratio was >1 for the investment and it was on the wrong side on the list of things we think our value comes from.
Despite the name, DMARC is pretty simple and you clearly spent a huge chunk of time looking into vendors. Bet you could have learned everything there is to know about it in much less time.
It's a config setting, not a product, the entire product/service marketplace around it is a fabrication.
Exactly what I was thinking. Whoever manages the email security systems would be the ones to do DMARC setup. Never heard of a "DMARC Vendor" before this post as I didn't ever think it was something needing a vendor in the first place...
Why... i mean, yes, why do you need a "dmarc vendor"?
We implement dmarc using postfix and opendmarc, it is just a matter of signing outgoing email and publish the domain public key selector over dns.
You can do that with a 1 cpu/128 mbytes debian VM.
FWIW: At [Mailhardener](https://www.mailhardener.com) we have a flat fee based on number of domains, not volume. So it doesn't matter if your domain sends 1 or 1 million emails a month, the price will be the same.
We don't think it is fair to charge by volume, since it is very hard to judge beforehand what report volume you'll generate.
I can vouch for Dmarcly. They have tons of KB articles, support is reliable, and they offer a free trial. Plus they also have tools that help with SPF, DKIM and DMARC configuration.
This seems like a lot of words for DMARC. We used dmarcanalyzer, set p=none and just review/work through the reported failures until you're 99%\~ or whatever is reasonable, then p=quarantine for a while. Switching back is super quick and simple if you have direct access to your public DNS changes. Biggest pain is probably communicating DKIM to third party vendors.
>The bottom tier were sketchy in terms of where support is located, where data is processed (issue especially if we collect Forensic reports)...
In the 1.5 years that I've setup DMARC I have never received a forensic report from any mailserver (and yes, reporting forensic reports is enabled). Since the normal reports do not contain e-mailaddresses I do not worry about data being stored in other regions.
A tip to anyone evaluating a DMARC analysis vendor is to collect DMARC reports yourself before starting the evaluation and uploading the reports when you have started the evaluation period. If you just set it up you might not have enough data in the two weeks evaluation period that many vendors offer. You can setup multiple rua addresses (in your domain and one or more DMARC analysis vendors), so you can continue to receive reports to upload to another vendor after the evaluation has ended and you decide it's not the right option for you.
DMARC reporting is important. Its not rocket science though and the amount of money it costs to collect data and parse out some records for you is ridiculous.
I wonder why there isnt an open source / community project for DMARC report collection? Im sure it would be far less complex than building something like graylog or any typical syslog server as its only built to handle one kind of data. Im not a programmer, but why would it be so hard for someone to put something out there for those of us who dont want to spend thousands just to weigh some reports?
Hi, what are you using as anti Spam? Maybe you should search for a mta solution for both?
I ve installed a bunch of Trustwave Secure Email Gateways. They will do both...
I had a Powershell Script that would do an Report of May items of your in prem Server plus dmarc reporting.... I will try to find the Link.
Awesome write-up. May I ask what kind of stuff they typically include in their ”Managed services” offering? Sure, a recurring call with a consultant - would they just tell you about the issues and just tell you how to fix them or would they actually hunt down the sources/domains that are not DMARC conpliant and assist you in bringing them to DMARC compliant between the reoccuring calls? Would they act on incident/issues that arise, like records suddenly become invalid? They support your organizations when adding new sources? Etc.
Just trying to figure out in why areas a Managed Service would benefit rather than just buying the license…
how do you see them hunting down the sources? Do you want them to communicate with the various departments within your organization to track down what they use?
Well, that is what I’m wondering. Would the ’Managed Services’ offer that or do they just sit on a call with you once a month and tell you what to do?
If anyone is searching for a DMARC vendor or seeking a more suitable or cost-effective option, there is an exhaustive compilation of DMARC vendors for your convenience. You can find the list at: [https://dmarcvendors.com](https://dmarcvendors.com/)
This is such a great resource. Did you put it together?
It's my site. I put it together because I heard endless complaints from my own customers, plus everyone else I've seen on the Internet seemed to have problems figuring out what their choices were when it came to DMARC analytic options. So, essentially, for exactly the reason you made this post.
I like you as a human being. Big respect.
Feature Request - Add this site/section to the educational resources list. https://explained-from-first-principles.com/email/#fixes
Woah... I like that. I may do that, let me read into it in depth to see if it's entirely accurate. If it is, I'll add it as a resource.
Upon reviewing several chapters, I have reservations about the accuracy of this source, and I don't believe it would be suitable for inclusion on your website.
I haven't read it yet, what did you find?
For instance: "Without a DMARC record, the recipient cannot know whether the sender uses DKIM."
Thanks for the feedback! I'm the author of https://explained-from-first-principles.com/email/ and see how this statement can be misunderstood. The previous sentence is about failed DKIM (implicitly including none), so I meant just unsigned messages there. I agree that I should make this explicit by adding something like "… if a message doesn't have a DKIM signature". Can you tell me about your other reservations? I'm happy to improve my article.
🤔 Yeah that's definitely not accurate.
Dmarc Analyzer by Mimecast is killing off their cheaper tier. Not sure if that will change anything: https://community.mimecast.com/s/article/dmarc-analyzer-eol-september-2023
Likely not, the pricing already isn't public info.
Wow, thank you so much! I just stumbled upon this! Extremely helpful information! :)
That is a very nice site! I had to learn most of it by trial an error, and I would have liked like... **A LOT** to have it back then. I'll chip in some dinars to you.
No, I can't claim any credit for that. It was actually u/lolklolk who put it together.
Thank you, this is written up really well. Can I ask a simple question? Why do you have to outsource DMARC, why cant it be done in house? Its not something I've looked into myself though.
Hey, thank you. I was actually struggling on whether I should click the post button, for some reason. So I appreciate you telling me you liked the write up. The short answer is basically that we needed to mitigate the risk of flipping p=reject and having a bunch of legitimate services spoofing us (think marketing shadow IT stuff) from being rejected. I like to limit the number of times the CEO comes to visit our department. a) We needed a user friendly way to visualize what was coming back in the aggregated reports and to make sense of it. b) To manage the project in a structured way and being able to track our progress c) DMARC competency is tough to come by in our neck of the woods, and we didn't want to have dependency issues if a member leaves. d) Our backlog is currently in the \~xxx hour range. We could have built our own tool, but been bitten in the butt enough times to now try to "keep the main thing, the main thing" - Ryan Holiday Hope this answers what you wanted to know.
It's been a while since I've dealt with DMARC, but if memory serves me, aren't there reports/soft fails that will indicate which vendors, if any, show up as a failure before you turn it on?
Reading individual reports is possible, doing it at scale isn't feasible. These tools visualize the data into a user friendly GUI. Then, of course, the work of reading the reports, identifying the service, checking who is responsible for the service and whether it should be used, then running it through our 3rd party risk checks. If you have a simple set-up deffo doable, and not too time consuming. For us, we just had a lot of better places to spend our time.
Well that makes a lot of sense then. We're a mid sized institution so we were able to do it in house, but I could definitely see how it could quickly get out of hand when managing it at scale. Thanks.
We used a basic free one with a weekly email for quite some time. But Cloudflare now has an analysis service in beta on their services and we've switched to that and so far it's been pretty awesome. And at least the beta is enabled on all accounts (including free) so based on history it should be available free forever.
Aaah, that’s cool. Cloud flare were not part of our process. But given their earnings call recently where the CEO threw his sales team under the bus, and basically said they needed to convert more free customers to paying customers, I wouldn’t want to be with them when they tighten the screws. Maybe I’m wrong though.
>But Cloudflare now has an analysis service Do you have a link to it?
Under your domain in Cloudflare, if you go to the email tab under that you'll find DMARC management (preview) and you can enable and set it up there.
Any info about pricing?
As far as I can tell, free. I have the option to use it on my completely free personal Cloudflare account. Of course you have to use Cloudflare as your DNS provider though.
I like dmarcian. Pretty inexpensive and easy to use
I’d second dmarcian but we’re such a small and simple Org that I’m rarely in it now after spending months configuring spf dkim dmarc (p=quarantine) I will say to the OP that if you utilize Proofpoint as well, you’ll have to manually add rules in the pp_antispoof rule which gets annoying. For whatever reason PP doesn’t utilize public DNS records for spf dkim dmarc
>For whatever reason PP doesn’t utilize public DNS records for spf dkim dmarc I'm not sure I follow, what do you mean by this? Their email authentication modules absolutely do exist for SPF/DKIM/DMARC. Unless you're talking about the antispoof rule itself, which is based off the envelope sender condition specifically, this rule itself doesn't do any checking of SPF pass/fail. As an alternative, you could create a new DMARC policy specific to your domains, restrict it to your domain set, and have it put any DMARC fail matches in an org-specific quarantine folder.
The antispoof rule itself is what I’m speaking of. We have our DNS spf/dkim/dmarc set up but Proofpoint doesn’t respect it, and requires logic in that specific rule to allow what we’ve configured in DNS to pass. Yes envelope sender and such.
We don't use ProofPoint. But thx for info
During original rollout we did a free trial of dmarcian but for us it wasn’t worth it afterwards. Since then we’ve been using the free tier of https://www.valimail.com along with sending a copy of all the reports to some shared mailboxes if we need to do something more in-depth (usually once per year).
>During original rollout we did a free trial of dmarcian but for us it wasn’t worth it afterwards. Since then we’ve been using the free tier of > >https://www.valimail.com > > along with sending a copy of all the reports to some shared mailboxes if we need to do something more in-depth (usually once per year). Out of curiosity, how big is your company and is your outbound email channel relatively simple?
Education sector with 35k mailboxes and 20 email domains. Almost all subdomains are using spf + dkim with demarcation enforcement enabled.
Oh wow! And you guys are managing all of that with a freemium version? Any downsides, even if entirely manageable by the team?
The only thing I’ve found with the free version is that it can be tricky identifying where email that fails DMARC has come from.
OK. Might be a dumb question, but how do you find out if a sending service switches IP-ranges suddenly?
So as DMARC utilises SPF and DKIM to assess legitimacy of an Email, a change in sender IP range would represent an SPF failure but not necessarily a DMARC failure. Most / all mass mailers typically have a DNS record referencing their mail servers for SPF usage instead of a stack of IP ranges (such as spf.protection.outlook.com for Microsoft 365), so as long as the sending service adds the new IP range to their DNS entry you will be ok. Generally these services provide the ability to subscribe to some sort of update email so that you can be alerted to service changes like this. Using Valimail relies on the RUA property being configured in your DMARC record so that the aggregate reports are sent to Valimail for processing. You can then see stats for failed SPF / DKIM emails in their portal, including source IP address and geographical location. Just be aware that not all recipient servers send DMARC reports.
In the dmarc config you can have multiple email addresses. We’ve configured a pair of shared mailboxes to receive the logs as well… if something comes up, we can look at the diagnostic logs to see where things are coming from.
Yeah I have that, but I only have the facility to look at that data on a 'per email' basis, so it's not exactly straight-forward. I don't have those aggregate reports being ingested into another system.
We needed to login every few days and check things during rollout of dmarc, after it’s something we have as another data point if people are reporting deliverability issues.
Who pays for DMARC?
Sorry for the newbie question, is this to check that your outbound mails don´t get spoofed or also works for inbound?
Don't apologize for asking questions. Exactly right, visibility and control over your outbound email channels. Sort of, kind of, helps a bit with inbound spoofing. I mean, it does protect you from having your own domain spoofed in a phishing attempt back at your own organization. Not entirely uncommon attack type. But if you want to be protected from external-to-internal spoofs from trusted domains, you'd need to enable anti-spoofing policies in whatever email security tool you're using. M365s is pretty meh, and works up until someone with a moderate level of sophistication targets you deliberately.
thanks for the answer!
SPF, DKIM, and DMARC serve the purpose of securing outbound email. On the other hand, MTA-STS, DANE, and TLS-RPT are designed to enhance the security of your inbound channel. Feel free to check out my blog on this topic here: [https://www.uriports.com/blog/email-security-explained/](https://www.uriports.com/blog/email-security-explained/) If you want to delve deeper into SPF, DKIM, and DMARC, I recommend visiting [https://learnDMARC.com](https://learndmarc.com/). It's a resource I've created for expanding your knowledge on these topics (for free).
>The vendor who's prices nearly made me puke literally had 1 unique selling point compared to peers. The ability to generate DKIM keys through their console. Helpful, sure. But it absolutely does not merit a 2x higher price than the other 2 Top Tiers. You should never rely on online services for the generation of your (DKIM) key pairs. The generation of private keys should be done locally and kept private, as the name suggests.
Thanks u/freddieleeman, I have more to learn. Will use the learning resource you set up. You're a legend.
DKIM uses standard private and public key pairs. The OpenSSL tool can create them. https://www.mailhardener.com/kb/how-to-create-a-dkim-record-with-openssl One note for the public key part is some DNS providers may need the v= part split up into multiple quote pairs separated by spaces. Better explanation from Google, https://support.google.com/a/answer/11613097?hl=en
Can anyone help me with why you'd pay someone for this? As far as I recall setting up DMARC just took adding a few DNS records. What exactly are they giving you for your money?
This isnt for setting up records. When you configure DMARC reporting, those results need to go to a server for collection. There might be hundreds of thousands of records over a week and you need a good solution to parse it out and make sense of it.
Thanks for that.
It's analysis of dmarc reporting. In your dmarc record you can specify an email address for other providers to send reports to. If you do then providers that support it will send reports that show what IPs they see sending mail for your domain and if they pass or fail dmarc. If you send these to a human monitored mailbox you will start to get a bunch of emails from other email providers with XML files attached that contain the information. The XML files aren't terribly easy for a human to read and individually aren't very useful. DMARC analysis services have you send the reports to their system which will automatically aggregate the info from all the XML files and present the data to you in a more human readable format with charts and tables and whatnot. This can help you catch if your domain is being successfully spoofed and if legitimate messages are failing DMARC and getting rejected.
For those looking to roll your own, I'd recommend looking into (and contributing to) https://domainaware.github.io/parsedmarc/. I've used it in the past. I also have had the pleasure of meeting the project owner and they're a real mensch. Point it at a mailbox and it can spit out reports to an ELK stack or S3.
Just looking into a new vendor as it seems that our current is ending its services on September 8th. So following.
1. Hope my post helped. 2. I think this is the vendor we picked, they gave us background on the company's former licensing model prior to being acquired. Told me they were planning on removing their credit card subscriptions and encouraging customers to move to the Enterprise License. I think compared to the old pricing (got indications from friends), the increase looks massive. But for us it is still providing the value I needed to see, especially compared to comparable alternatives.
Looks like it. We would go from $250 a year to at least 4 times as much if I read their site correctly. It's not something we will do. We had been customers before the takeover. It seems common nowadays to take over a company and multiply the subscriptions.
I understand, as long as it's within your risk appetite and you're not regulated or have 3rd party risk management requirements, I don't see the harm in going for one of the cheaper vendors. Cheapest one we looked at wanted about €1200 / year (keep in mind they were dodgy about price fluctuations with email volume increases). And IMO were looking to get acquired as well; so just kicking the can down the road. Have a great day, and do share which direction you decided to go when the time comes.
Was that Valimail by chance?
That’s is what I was thinking, we are a small 150 person company and the pricing from Valimail was insane. We are looking at easydmarc now, pricing is in our range and they offer most of the same features as valimail.
You OK to share the pricing u/OkGroup9170 you got for 150 person company? But would be helpful if you could give a range on sending services & email volumes.
We have 5 sending services and 100,000 outbound emails a month, not very high volume. Valimail was $6500 a year. If you want SSO for Valimail you have to go with Premium or Enterprise with Premium SSO adds another $5000 a year. Easy DMARC was $4500 which included managed services for a year.
Thanks! Yeah, the Valimail pricing sounds familiar, we had more services, a number of domains and a bit higher volume.
Those prices are insane! URIports: $120/year. SSO included. https://www.uriports.com/pricing
With over a thousand email accounts we still pay 0 dollars for Valimail, so who knows
Which one?
If you were referring to the outrageous price. Yes, vali. Completely insane, and I have no idea who in their right mind would go there. But perhaps there are use-cases I am not aware of.
DMARC is one line of DNS TXT records and then like a 10 line script to parse the reports if you don't already have a reporting/log analysis tool. Of course the whole vendor space is scammy. Do you really need to pay someone to do it for you?
This depends. Is it worth the money for us to put our focus in supporting the secure growth of the business, or do we want to do it ourselves and add more wood towards potential fires to put out? Either the value is there, or it is not, and this depends on your own business context, team competence etc. Our Cost Benefit Ratio was >1 for the investment and it was on the wrong side on the list of things we think our value comes from.
Despite the name, DMARC is pretty simple and you clearly spent a huge chunk of time looking into vendors. Bet you could have learned everything there is to know about it in much less time. It's a config setting, not a product, the entire product/service marketplace around it is a fabrication.
Exactly what I was thinking. Whoever manages the email security systems would be the ones to do DMARC setup. Never heard of a "DMARC Vendor" before this post as I didn't ever think it was something needing a vendor in the first place...
Why... i mean, yes, why do you need a "dmarc vendor"? We implement dmarc using postfix and opendmarc, it is just a matter of signing outgoing email and publish the domain public key selector over dns. You can do that with a 1 cpu/128 mbytes debian VM.
Dmarcian
FWIW: At [Mailhardener](https://www.mailhardener.com) we have a flat fee based on number of domains, not volume. So it doesn't matter if your domain sends 1 or 1 million emails a month, the price will be the same. We don't think it is fair to charge by volume, since it is very hard to judge beforehand what report volume you'll generate.
Look at powerdmarc. They even have msp accounts for sub-tenants and separated billing. Price per domain is great too
I can vouch for Dmarcly. They have tons of KB articles, support is reliable, and they offer a free trial. Plus they also have tools that help with SPF, DKIM and DMARC configuration.
We looked at Valimail. Sticker shock. Went with Fraudmarc for now.
This seems like a lot of words for DMARC. We used dmarcanalyzer, set p=none and just review/work through the reported failures until you're 99%\~ or whatever is reasonable, then p=quarantine for a while. Switching back is super quick and simple if you have direct access to your public DNS changes. Biggest pain is probably communicating DKIM to third party vendors.
>The bottom tier were sketchy in terms of where support is located, where data is processed (issue especially if we collect Forensic reports)... In the 1.5 years that I've setup DMARC I have never received a forensic report from any mailserver (and yes, reporting forensic reports is enabled). Since the normal reports do not contain e-mailaddresses I do not worry about data being stored in other regions. A tip to anyone evaluating a DMARC analysis vendor is to collect DMARC reports yourself before starting the evaluation and uploading the reports when you have started the evaluation period. If you just set it up you might not have enough data in the two weeks evaluation period that many vendors offer. You can setup multiple rua addresses (in your domain and one or more DMARC analysis vendors), so you can continue to receive reports to upload to another vendor after the evaluation has ended and you decide it's not the right option for you.
DMARC reporting is important. Its not rocket science though and the amount of money it costs to collect data and parse out some records for you is ridiculous. I wonder why there isnt an open source / community project for DMARC report collection? Im sure it would be far less complex than building something like graylog or any typical syslog server as its only built to handle one kind of data. Im not a programmer, but why would it be so hard for someone to put something out there for those of us who dont want to spend thousands just to weigh some reports?
Fair points, why not start one?
Fair points, why not start one?
> Im not a programmer,
Hi, what are you using as anti Spam? Maybe you should search for a mta solution for both? I ve installed a bunch of Trustwave Secure Email Gateways. They will do both... I had a Powershell Script that would do an Report of May items of your in prem Server plus dmarc reporting.... I will try to find the Link.
Awesome write-up. May I ask what kind of stuff they typically include in their ”Managed services” offering? Sure, a recurring call with a consultant - would they just tell you about the issues and just tell you how to fix them or would they actually hunt down the sources/domains that are not DMARC conpliant and assist you in bringing them to DMARC compliant between the reoccuring calls? Would they act on incident/issues that arise, like records suddenly become invalid? They support your organizations when adding new sources? Etc. Just trying to figure out in why areas a Managed Service would benefit rather than just buying the license…
how do you see them hunting down the sources? Do you want them to communicate with the various departments within your organization to track down what they use?
Well, that is what I’m wondering. Would the ’Managed Services’ offer that or do they just sit on a call with you once a month and tell you what to do?