BASIC
spoofing mitigation deployment
levels NOV 2021 upd aug 22, 2022
- SPF $75
(incl. demo*
upon completion)
- SPF + DMARC
$180 2.0 hr (incl. demo*
upon completion)
- DKIM $225 (2.5 hr nom.)
- DKIM + DMARC $270 (3.0 hr nom.)
- SPF + DKIM +
DMARC $315 (3.5 hr nom.)
- disable aggregate reporting; configure SPF record; enable
DKIM; DMARC
policy=quarantine 100%;
- disable Reject (to be done at later phase)
- no monitoring (extra)
- SPF + DKIM + DMARC + reporting & monitoring
& maintenance $500 ~ $5000
- low-end if you have in-house IT, covers consulting
&
strategizing for them
- 4- / 5- / 6-phased implementation, on-going
projects
NOTE: Prices assume that we're acting as your domain registration agent, have [momentary] unfettered access to NS pointing + DNS records (editing), are familiar with your control panel, etc. Any exception encountered, COULD trigger additional fees, at standard consultation rate, to cover the investigation & logistical guidance. Where email is hosted is irrelevant.
Before
any of these deployment (1 to 6), there is also mandatory
level 0 (zero),
consultation, pre-screening, defining, etc.
Sometimes, the project terminates† after consultation
session,
because... that's the most
optimal choice.
NOTE: Many organizations would incorporate commercial grade private
hosted SMTP service. Changing 1 thing, might trigger another few
obligatory changes.
* demo that it's compliant
with
project specs, not live
tutorial (extra), EXCL
on-going review, advice, monitoring, maintenance, reaction (to
situations), etc.
† OR
suspended, pending completion of other newly triggered projects +
additional meetings, but implementation deferred
What
Is It?
- implement things, publish things at your domain, so
recipients
can
reject
- comply with recipient company requirements, so you're not
rejected by their policy
- defensive settings for non-sending domains you own
by definition, any meaningful
implementation of DMARC will be phased
(4~6)
- mitigate ID spoofing, improve your own send deliverability
(fail less)
- sticky points: mass mailers you use (implicitly?) &
your prof
org sending on your behalf; roamers using non-standard smtp
- not fix all, still can fall thru cracks
- impostors can still succeed
- creates its own complications & failures
FYI:
- This is done PER-DOMAIN. It's common to deploy for just the
primary (but not all)
domain (just like TLS certificate
policy).
- This is done to the domain, not to the email hosting plan,
and not per-mailbox
- Hosting is monthly. Domain name is annual. Certs are
annual. This anti-spoofing mitigation is 1-time for implementation
(non-recurring).
DEMO &
Limitations
- successful delivery to your gmail & outlook.com
- optional$$$:
demo failure as expected, with intentionally misconfigured domain; but
those still get thru to "unprotected" recipients
- explain anticipation
of failing at some unreasonably restrictive sites, and malforming of
header, from time to time
- covers single
authorized server (and associated testing), at the time of deployment
SEE ALSO