I’m new to this, but trying to figure out the best way to get my org up to par…
If we have SPF implemented already, but not DKIM, should we implement DKIM first and then DMARC? Or should we first implement a DMARC policy of none in order to start getting reports and then implement DKIM afterwards?
Opinions will vary, but it doesn’t hurt to go ahead and start with DMARC at policy of none, and review the reports. At level none, email is not being blocked because of DMARC.
Getting the reports will help you focus on the areas that need to be fixed, and you can implement DKIM in parallel or based on the information in the reports.
Saying that, I do think at minimum you should implement DKIM on the org’s mail servers. that way it reduces the number of fails in the reports (especially if you’re using an email cloud provider).
We are using an on-prem mail server, but we are going to implement DKIM signing through our email gateway. There’s some potential issues with our SPF record due to 3rd party vendors being used over the years, so my thought was that getting the reports through DMARC would be very useful in cleaning that up. Thanks for answering my question!