To better understand the importance of Email Authentication, please see our blog post here for a friendly, non-technical explanation of what email authentication is. SPF, DKIM & DMARC – Umbrella IT

The following article will be purely technical, explaining the technology behind what enables us to have email authentication visibility for our customers and how this technology applies to the overall Defense-In-Depth security stack.

Dynamic Record Management

One of the primary challenges in securing email infrastructure is the limitation of standard DNS records. Specifically, the Sender Policy Framework (SPF) has a strict “10-lookup limit.” If an organization uses multiple cloud services (like Microsoft 365, a CRM, and an EMR platform), they often exceed this limit. When that happens, authentication breaks and legitimate emails fail to deliver.

Redsift OnDMARC solves this through a technology called “Dynamic SPF.” Instead of listing every IP address and vendor directly in your primary DNS zone, we implement a single dynamic include. When a mail server queries this record, Redsift’s smart macro-services instantaneously flatten the list of approved senders into a valid format that respects the lookup limit. This allows us to authorize an unlimited number of legitimate services without breaking the protocol.

We utilize a similar “hosted” approach for DKIM and DMARC records. By delegating specific selectors to the Redsift platform, we can rotate encryption keys and adjust policy parameters instantly without needing to manually edit your public DNS zone file every time a vendor changes their infrastructure.

Discovery to Enforcement

The process of securing a domain is not a binary switch but a phased technical evolution. OnDMARC provides the telemetry required to move through these phases safely.

We begin in the Discovery Phase by setting the DMARC policy to p=none

In this state, the technology acts as a sensor network. It collects RUA (Aggregate) and RUF (Forensic) reports from email receivers like Google and Microsoft. These reports generate a complete inventory of every IP address attempting to send mail as your domain. This visibility is critical for identifying legitimate services your team uses and which ones are officially authorized by leadership.

Once we identify all valid sending sources, we move to the Alignment Phase. Here we configure the underlying SPF and DKIM mechanisms to ensuring that the “Return-Path” and “From” headers match cryptographically. The OnDMARC platform highlights misalignments that would otherwise cause legitimate mail to land in spam folders. Finally, we reach the Enforcement Phase. We gradually escalate the policy to p=quarantine and ultimately, p=reject

At this stage, the technology actively instructs receiving servers to block unauthorized mail. This shuts down direct domain spoofing entirely.

Human Analysis and Continuous Monitoring

While the underlying technology is mostly automated, interpreting the data requires human expertise. The “Defense-In-Depth” model relies on continuous vigilance. Our team monitors the OnDMARC dashboards to analyze traffic patterns and alert on anomalies.

For example, if the reporting engine detects a sudden spike in failed authentication from a foreign IP block, it could indicate a targeted spoofing campaign. Because we have visibility into the forensic data, we can investigate the source and confirm that your enforcement policy is successfully rejecting the malicious traffic. Conversely, if a new legitimate marketing tool is deployed without notice, we catch the alignment errors early and update the dynamic records before it impacts business operations.

Support

If you need assistance with a specific sending service or have questions about a report, please log a ticket in our Client Portal. Our team will review the technical headers and assist with the configuration.

If you are not an existing customer or don’t know if you currently have OnDMARC enabled, reach out to our team!