Authenticate shows you senders that you can approve or deny.
What it Means
Approve a sender to indicate that you want the app to help authenticate emails sent by this sender. As soon as a sender is marked Approved, Valimail will start serving out positive SPF responses for their emails. If there are standard DKIM keys for the service, they will be loaded quickly. The app will generate new tasks for you when the sender is having a problem. Approval means that you want the sender to succeed at email authentication, and the app will support you in that goal.
Deny a sender to indicate that you do not want email from this sender to authenticate. No SPF support will be provided (SPF requests will fail). No DKIM keys will be stored for the sender, and these requests should generally fail.* You will not be given tasks to fix up the sender when it fails authentication, because your choice to Deny the sender shows you do not want to authorize it.
Pending Review means that you aren't sure yet. The system treats this much the same way as Denied, in that it does not support these emails for SPF or DKIM. Also no tasks will appear for the service. Pending Review is the default state for a new service we've detected in your mail streams, and it's good to make a decision as soon as you can.
* It is possible that a sender you have Denied will still pass authentication sometimes. For SPF, this can happen if the SPF validation comes from elsewhere, such as a separate include in the domain's SPF record or a subdomain with its own SPF record (not pointed to Valimail). For DKIM, the sender could pass using a DKIM key we have associated with a different service or with the same service, but on a different subdomain. For example, a service could try to send on 123.acme.com but sign with a key on acme.com so that even if you denied it on 123.acme.com it would still pass using the key on acme.com though this is rare.
How to Decide
Figuring out who uses a specific service at your organization is one of the biggest challenges of getting to DMARC enforcement. If you are at a small organization, ask around. At a larger organization, it can be very difficult. Either way, here are some tips that might help you find the service owner, or confirm that this is shadow IT:
- Do some research online about the sender for clues about what department likely uses it. Is it for marketing? Accounting? Engineering?
- Look for emails inbound to your organization from the primary domain of the service. Did anyone get a signup email from them? A test email? Usually there will be some good clues here, and recipients can point you to the bigger picture.
- As an extreme measure, you may want to let the service fail DMARC and see who complains. This is a risky solution, but might make sense as a last step after everything else fails.
If you aren't sure yet, it's ok to leave the service in `Pending Review` for a while, so long as your DMARC policy is not at enforcement. However, if you are at Enforcement, you might consider just Approving it so that you don't block its email stream entirely.