DMARC deployment projects in larger organizations come with their own variety of challenges. If 74% of the US Federal Government did this in a year, you can too.

Previously, we talked about DMARC deployment in a startup or smaller organization where you probably know all of the different places you're sending email. Now put yourself in the shoes of an enterprise that's 40+ years old, has hundreds or thousands of servers.

Many servers could be sending email directly. Some departments could have built their own tools while others are using 3rd party services. The company could even have many different domain names in use for all of these different tools. Has the company grown through mergers or acquisition?

There's no telling what the scope of your project could be in a larger company. Luckily, DMARC is built to help with this problem. You start with the Recon step, setting a DMARC p=none; policy on each known domain so that we can gather reports.

Maybe as the project goes on, you discover new domains. Just add that record and start collecting reports. You'll probably want some type of service or tool to collect these for you to help make sense of what is in them...but the deployment process is exactly the same.

We discover services and IP addresses being used by our domains and we work on our implementation to make them both SPF and DKIM compliant. We make them compliant by finding out who has access to these tools, look up the relevant implementation steps for SPF and DKIM, then apply them. Or we consolidate delivery by routing multiple servers through a more centralized and compliant company email service.

Rinse and repeat, until everything is compliant and then we enforce our policy. In an enterprise there will be more communication, more people involved and a bigger project to manage...but it's all achievable.

This article was originally published on as part of a 3 part DMARC Guide at Brightball.