< back to blog

Enhancing Email Security with Privacy in Mind

March 21, 2024

Balancing Email Security and Privacy

Protecting your email communications shouldn’t come at the expense of privacy. That’s why we’re passionate about helping MSPs and IT teams understand the balance that VerifyDMARC brings.

Understanding DMARC's Privacy Implications

DMARC reporting is an essential part of email security, but it’s also a fine line to walk when it comes to privacy. There are two kinds of DMARC reports:

  • Aggregate (RUA) Reports provide high level reporting of servers that are sending email from your domain name, but not enough to identify specific users.
  • Forensic (RUF) Reports go further and include personally identifiable information (PII) like specific users, subject lines, message IDs and timestamps.

We’ve made a deliberate decision not to offer or process Forensic (RUF) Reports at all. These reports offer little value towards helping you identify all your email sources, which is why you’re implementing DMARC reporting in the first place. Collecting RUF reports increases organisational risk that you’ll need to make disclosures when a data breach occurs.

Our Approach to Privacy and Security

Coming from the Managed Service Provider world, we’ve seen where common mistakes with cyber security risk occur. Two key areas are over collection of data, and poor housekeeping of user accounts. How do we address those?

No Overcollection of Data: When you collect more data than you need, like Forensic (RUF) Reports, you make yourself more attractive to attackers, lawyers, and law enforcement. You also create reputational risk because when that data gets breached and you need to disclose to those affected, you’ve now got a PR problem, fines, and remediation costs.

Good User Account Housekeeping: It’s far too common that you setup a service, give the team access, and then those users move on to new jobs, new organisations and so on. Or you create a single shared login, and all the people in your MSP or IT team know the details. We made another deliberate decision to only offer passwordless authentication and Microsoft 365 Single Sign On with VerifyDMARC. This means as long as you terminate access to email when a user is offboarded from your organisation, their access to VerifyDMARC ends there too. We also don’t limit how many users you can have on any of our business plans.


For MSPs and IT teams tasked with managing email security, the choice of tools and platforms matters. We like to think VerifyDMARC stands out by not only offering robust DMARC reporting capabilities but also by taking firm steps to ensure privacy and security is a key part of our design and service. If you’re using another DMARC reporting service, or considering a DMARC reporting service, have you given thought to privacy and security?

Update: North Korean Actors Exploit Weak DMARC Security

Update: North Korean Actors Exploit Weak DMARC Security

In response to a recent FBI, State Department, and NSA advisory, we highlight risks of weak DMARC security and offer actionable steps to protect your organisation, customers, and suppliers.

DMARC Protocol
Comprehensive & Cost-Effective DMARC for MSPs

Comprehensive & Cost-Effective DMARC for MSPs

The challenge of managing DMARC across multiple client domains has traditionally been a complex and costly affair. VerifyDMARC addresses this head-on by offering a unified, cost-effective solution.

Don't Forget About Your onmicrosoft.com Subdomain

Don't Forget About Your onmicrosoft.com Subdomain

Every Microsoft 365 tenancy includes an onmicrosoft.com subdomain, these are rarely used for business communications but need to be part of your DMARC strategy so they do not get exploited.

Mail Providers