Easydmarc has a FREE plan which is great for personal domains or small businesses that just want the basics, it also allows you to manage unlimited domains. Prices are then $17.99 / month for the Plus plan and $39.99 for the Premium plan. Plans are cheaper if you go yearly.
Dmarcly does not have any free plan but they do offer trials, and their prices are pretty identical, with the professional plan at $17.99, growth at $39.99, business at $69.99 and Enterprise at $199 per month.
For the purposes of this article, we will be comparing the $39.99 growth and premium plans.
Price (per month)
$39.99 monthly $35.99 yearly
DKIM Record Generator
Processing/rendering of aggregate reports
Processing/rendering of forensic reports
Aggregate Reports (RUA)
Automatic Subdomain Detection
2 Factor Authentication
The dmarcly system is very text-based no frills solution, not very visually appealing at all, and feels very much like a legacy web 2.0 app from 20 years ago.
Overall I did not find the dmarcly system very intuitive or nice to use compared to Easydmarc.
The reports are very minimalistic. The whole site/admin interface feels like it was created by developers with no real UI/UX experience. The target audience here is definitely techies, not end users or business owners.
Below is one of the email summary reports. As you can see, rather than an actual report, you get a notification that a report is available, which you have to login to view. This is just time consuming and annoying having to do this. Compare this to the lovely email reports from Easydmarc .
Frustrated with “SPF PermError: Too Many DNS Lookups“? This can cause emails to not reach the inbox.
SPF allows up to 10 DNS queries upon validation. However, some domains have SPF records requiring 10+ DNS queries, which results in SPF validation failures and deteriorated email deliverability.
The good news is, DMARCLY’s Safe SPF feature solves this problem perfectly.
Precise SPF validation
Always up to date
Boost email deliverability
No manual maintenance
DMARCLY renders Authenticated Received Chain (ARC) results when the final disposition is overridden by the local policy.
ARC preserves email authentication results across subsequent intermediaries that may modify the message, allowing legitimate messages from indirect mailflows to be delivered.
Your email is susceptible to Man-in-the-Middle (MitM) attacks, if you allow messages to be delivered to your domain via unencrypted connections.
Implement MTA-STS/TLS reporting to identify and fix email security issues.
Adaptive Blacklist Monitoring
Monitor the reputation of IP addresses from which your outbound emails are actually sent.
Dmarcly check against these industry standard blacklists: Spamhaus ZEN, SpamCop Blocking List, Barracuda Reputation Block List, and Passive Spam Block List.
Multiple Email recipients
One feature I initially thought was useful was that dmarcly allows you to setup multiple email recipients for each domain. Which I thought would make it useful for consultants or MSP’s who want to send reports directly to customers. But alas, this turned out to not be very useful due to the aforementioned fact that the system doesn’t actually send reports via email, just notifications telling you to login to view the report. Meaning that every email recipient would actually need a login in order to be able to see the report.
This feature is further deprecated by the limited number of users per account and and there does not appear to be any way to limit a user to a specific domain. So even if you did sent a report to every client, they wouldn’t actually be able to login to view it.
I contacted their support a few times with various questions, and while they responded within a timely manner, I found their responses to be very terse. The customer service/support felt as minimalistic as the website UI/UX.
More domains and email traffic with each plan.
MTA-STS & TLS Reporting
Poor UI/UX, lack of visualisations. Lacks the intuitive look and feel of easy dmarc.
No email reports, just notifications.
no free plan
No support for MSP’s/Resellers
The Easydmarc app has a beautiful and intuitive interface that is a joy to use and easy to understand, very visual with nice looking icons, graphs and charts everywhere with all the info you need at a glance.
You can tell that a lot of thought went into the UI/UX and that actual UX designers were involved in the process, unlike damrcly. Easydmarc is definitely the better solution for users and business owners but is great for techies too.
The email reports are beautiful and visually tell you everything you need to know, without having to login to your account.
During my time testing Easy Dmarc, I did, however, discover issues with the reporting, the stats would randomly change every time I reloaded the page, giving completely different data for every domain. Same on the aggregate reports.
It took more effort than it should have done to get them to investigate this issue and finally realize the system was broken, and I found it rather worrying that they were oblivious to it and that I was the only user who had noticed it and reported it.
The Hosted DMARC tool provides a unique CNAME record to update your DNS and start using the feature, preventing the need to visit your DNS each time.
Hosted BIMI helps you to manage BIMI record easily directly within their platform. You need to add a single CNAME record to your domain DNS, after which you can securely host the SVG logo and VMC certificate with Easydmarc.
SMB’s are not likely to want or need to bother with BIMI though as it is costly, requiring you to buy a certificate that costs $1400 per year and register your trademark. This is more something for large organizations that already have trademarks.
By default SPF can not exceed 10 DNS lookup. If it does, then this results in “Too many DNS lookups” issue causing “permerror”.
Easy SPF solves this by providing an SPF flattening solution that allows you to Add, remove, update lots of email service providers without being concerned about SPF 10 DNS lookup limitation.
Mitigate and avoid outgoing emails’ loss by automatically authorizing new email sending sources even when your DMARC policy is “quarantine” or “reject”
Real-time Reputation Monitoring
Keep an eye on your domain, IP address, and mail server reputation with the advanced blacklist monitoring service. They notify you once you appear in blacklists, so you’ll be able to quickly act to get them delisted and avoid potential delivery issues.
How does Reputation Monitoring work?
EasyDMARC’s Blacklist Monitoring service provides indispensable information about your domain, IP address, and mail server blacklist status. Our system delivers automated checks and notifies you if they are found in any blacklist. You can monitor both IP addresses (IP4 and IP6) and domains.EasyDMARC’s automated checks run real-time. Our email alert system gives you the link to every IP blacklist provider’s website. From there, you’ll be able to quickly delist your domain or IP address, and mitigate any damages your email sender reputation may experience.
Email Investigation Tool
Setting up domain alignment initially can be quite a complex task, especially if you have multiple sources such as a CRM, ticket system, billing system, blog etc all sending email from your domain.
The email investigation tool makes this easier. It will generate a special email address, which you use to send emails from each of your sources, and Easydmarc will then tell you if that email passed the domain alignment checks.
However during my time using EasyDmarc, I found that the email investigation tool was incorrectly reporting the domain was not aligned and was failing both SPF and DKIM checks because the domain did not match the return path. This was false, both SPF and DKIM were fine, verified via other tools, Even the error clearly showed that the domain and return path both matched.
When I contacted Easydmarc to report this, they were not interested and told me I needed to upgrade to the Enterprise plan if I wanted them to even look into it.
I had to resort to posting the issue on Twitter to get them to look into it, at which point they confirm there was an issue with the tool.
I understand that they must limit providing support to free users, but bug reports should be taken seriously regardless.
Easydmarc state that they have MSP features, however, these are very basic and I would disagree that they are MSP features.
All it really gives you is the ability to manage multiple domains and users and to assign a user to a domain. There is no ability to generate reports and send them to clients. If you want a client to get reports, then you must add them as a user so they can set this up themselves.
There is no option to setup branding, so if you do give a client access, they will know they are using Easydmarc.
In stark contrast to dmacly, I found Easydmarc to very pleasant to deal with and generally more helpful with their responses. While testing out their service I noticed that I was getting emails sent through postmark servers passing the DKIM tests. When I quizzed them on this, they spotted an old dkim record I had left in my DNS.
Very visual, easy to understand UX/UI that is pleasant to use.
Nice email reports. Pretty, easy to understand email reports that show you current alignment status at a glance.
Free plan with unlimited domains
Friendly customer service
Reputation monitoring included
Handy email investigation tool
Less domains & email traffic compared to dmarcly
No MTA-STS & TLS Reporting (although they say it is coming soon)
Very limited/Basic MSP features
So which solution is best? This very much depends on your requirements, although you can probably tell I prefer Easydmarc.
If you want a solution that looks nice, generates attractive, easy-to-understand reports either for yourself or to send to clients or you are an MSP looking for a solution to resell, then I would go for Easydmarc.
If you are looking for the cheapest solution with the most domains and don’t really care about the visuals and UI or your specific need MTA-STS & TLS Reporting, then go for Dmarcly.
If you are interested in a fully managed domain alignment and Dmarc solution, get in touch.
In this article I will share my awesome active directory management tips on, design, naming conventions, automation, AD cleanup, monitoring, checking Active Directory Health and much more.
Check it out:
1. Get Your Active Directory Organized
If you don’t have good Active Directory organization unit (OU) design you’re going to have problems.
First, I’ll quickly explain the three main reasons why good OU design is so important.
Reason #1 Group Policies
Having good OU design will make implementing and managing group policies much easier. I’ve seen a drastic decrease in issues with proper OU design.
Reason #2 Delegate permissions
Does your helpdesk need to reset passwords, add and remove computers from the domain? Do you need non admins to manage groups? Does HR need access to update user accounts?
Being able to delegate rights at a granular level and auditing those rights is a must.
Proper OU design will allow you to easily delegate permissions at a granular level.
Reason #3 Administrative tasks
Modifying user accounts, using LDAP queries, reporting and bulk changes are all common administrative tasks. If Active Directory is a mess, these simple day to day tasks can become difficult for the whole team.
Now that I’ve explained why OU design is so important, let me show you my tips for good OU design.
Design Tip #1: Separate Users and Computers
Do not lump users and computers into the same OU, this is a Microsoft best practice.
Instead, create a new OU for Users and an OU for computers.
Next, create sub OU’s for each department.
Do this for both computers and users.
Next, I’ll create OU’s for specific functions or grouping of similar objects. Here are some examples that I use:
Conference room computers
VDI (Virtual desktops)
I’ll create an OU for each one of these functions.
That’s it for organizing users and computers.
It’s very simple, flexible and easy to navigate.
Recommended: SolarWinds System Management Bundle (FREE 30 Day Trial)
The Systems Management Bundle is the ultimate monitoring solution for virtual servers, applications, storage, and web performance monitoring.
Get instant visibility across your systems to help you quickly diagnose and troubleshoot performance problems. Infrastructure monitoring for on-prem and cloud technology.
What I like best about SolarWinds is it’s quick and easy setup, and easy to understand dashboards.
Here is one example that demonstrates the flexibility of this design.
I have a domain policy that locks the computers after 15 minutes of inactivity.
This became a problem for conference room computers, users would be teaching or giving a presentation and the screen would keep locking.
To fix this I just created a sub OU called conference room computers and moved the affected computers into this OU. I created a new Group Policy object that changed the lockout time to 60 minutes and applied it to this new OU.
Now, these computers still inherit the policies from its parent while applying the new timeout policy.
Design Tip #2: Create an OU for Security Groups
At first, I put security groups into department folders.
It made sense at the time.
BUT….I was wrong
What happened was, I would have groups that were not department specific. Where do those go?
They would end up in various places and then no one could find them.
To fix this mess I created a group just for security groups.
Just like users and computers, I can create sub OU’s to group department or functional groups together.
This works great, I know exactly where all the groups are and can organize them any way I want with sub OUs.
Design Tip #3: Create an OU for Servers
You want to keep your servers in there own OU. You will have group policies that need to apply only to servers and not workstations and vice versa. I can also create sub OUs to group specific servers for whatever need.
Now I can apply policies to all the servers or specific ones.
By keeping Active Directory organized all the admins will know how to easily find objects. I have the flexibility to apply group policies, delegate control and administer the objects.
2. Use a Standardize Naming Convention
No matter if your organization is big or small you need to standardize the naming of Active Directory objects.
Here are my tips for good naming conventions.
The most popular option is users first initial + last name.
I’ll use “Joe Smith” as an example.
The user name would be: jsmith
The next popular option is complete first name + last name (use a special character to separate the name).
The user name would be: joe.smith
Both methods work well and are user friendly. The one problem you may run into is duplicate user names.
To fix this just add in the middle initial.
For example, I have Joe Smith, then I get a new employee with the name of Jane Smith. The user name for Jane will be the same as Joe so I need to use Jane’s middle initial.
Jane’s middle initial is A, so the username would be jasmith. or jane.a.smith
I would avoid naming conventions that truncate names or include numbers. It’s just too confusing for everyone.
Here is my template for creating groups.
Department or group + resource + Permissions
Let me break this down
Department or group – You can use the full department name or an abbreviation. It some cases it may not be a specific department it may be users from various departments so just come up with a name for this group.
Resource – This should define what the group is being used for, it could be one word or a few words (separate words with a hyphen)
Group Prefix: When you create a group you must select a group type, I use a prefix to define what group I’m using.
Domain local = L
Global = G
Universal = U
Permissions – The permissions will you apply to the resource
R = Read only
RW = Read, write
Here are some examples
Example 1 – Helpdesk staff needs rights to reset passwords.
Security group name would be: Helpdesk-PasswordReset-G
Example 2 – HR department needs training folder locked down
Security Group name: HR-Training-Folder-G-RW
Example 3 – Sales department want shared calendar locked down
Security group name: Sales-Shared-Calendar-G-RW
Once I got all my groups renamed following this naming convention it made it much easier to find and use them.
Computers, Servers and other AD Objects
For most other objects I follow this naming convention:
Type + department or location code + asset#
W = Workstation
L = Laptop
P = Printer
S = Server
V= VDI or virtual machine
Department: Use two letter appreciations for departments or use a location code
HR = Human Resources
MR = Marketing
SA = Sales
Here are some examples
Workstation in the IT department asset# 1234
Laptop in the HR department asset# 1235
Printer in the sale department asset # 1233
Create a clear naming convention that the whole team can follow, and I’m not just talking about users and computers. Create a naming convention for all objects
3. Monitor Active Directory with Premium Tools
Active Directory is the heart of the network, if it stops beating then everything else dies.
I know FREE tools are great (I use plenty of them) but when it comes to monitoring I rely on professional tools.
It saves me serious time and it provides other IT staff with easy to read metrics on servers and applications.
Here are a few favorites:
SolarWinds Server & Application Monitor – I like this tool as it allows me to monitor any application on any server. Monitors all the components and services that make Active Directory run. If Active Directory is having issues or is slow this program will quickly identify the issue.
Netfort Languardian – This is a deep packet inspection program that monitors the network and user activity. Although it may be considered a networking tool it has tons of use cases. I can find out who deleted a file, monitor DNS, find rouge DNS servers, monitor bandwidth to servers and active directory and much more.
ManageEngine Audit Plus – Provides real time auditing to Active Directory. Track changes to AD objects, user activity, DNS, GPO and more.
There are plenty of professional tools on the market, I recommend you search around and find what best fits your needs.
4. Use Core Servers (When possible)
Server core has a smaller footprint, is more secure and doesn’t require as many updates.
Bonus benefit fewer reboots!
I was skeptical at first when Microsoft said this is the preferred install option. But after running core servers for a few years they ROCK. They are stable, and they really do have fewer updates.
Unfortunately, they don’t work in every situation.
Not all 3rd party applications support core servers.
They work great for Windows servers such as domain controllers, DHCP, DNS.
So, install core servers when you can and reap the benefits.
Here is a nice table that summarized the benefits of server core
5. Know How to Check AD Health
Issues with domain controllers, DNS, and replication are going to cause all kinds of problem.
Here are some quick tips for checking the health of Active Directory.
Use dcdiag to check domain controllers
Dcdiag is a command line tool that analyzes the state of domain controllers in a forest or enterprise and reports any problems. It is built into most Windows server operating systems, it is also included if you have the ADDS or ADLDS role installed.
Use the following command to analyze the health of your domain controllers.
dcdiag /s:servername /a
This will run several tests on various components and services that run on a domain controller.
You will get a fail on any tested that does not pass.
Use dcdiag to test DNS
Use the command below to test dns
dcdiag /test:dns /s:servername
You can in the screenshot the test has detected some issues with my dns
Looking through the tests I’m missing some A and SRV DNS records
Use repadmin to test replication
Use the following command to test replication between your domain controllers.
6. Use Security Groups to Apply Permissions to Resources
DO NOT use individual accounts to apply permissions on resources (printers, shared folders, applications, calendar, etc).
Instead, use security groups.
This makes adding and removing users to resources much easier. It also helps with reporting and audits.
Once the groups are set up on the resources you don’t have to go to each resource every time to modify access. You just update the group.
Using the group naming convention from tip# 3 this works like a charm.
Here is an example.
I have a folder called training in the sales department.
I will create a group called HR-Training-SG-RW (This following my naming convention tips#)
Then I’ll add this group to the permissions on this folder.
Now anytime I want to give permissions or revoke a user’s rights to this folder I just modify the members of this group.
I can use the method for all resources.
7. Cleanup Active Directory (at least once a month)
Over time, Active Directory will have obsolete users, computers and group accounts.
To keep Active Directory secure and tidy you need to find these obsolete accounts and remove them.
It’s frustrating to see objects in Active Directory and have no idea what they are for.
Even if you are using a good naming convention I still like to add descriptions to objects. Obviously not all objects, but servers, groups, service accounts and generic accounts I put descriptions on them.
Not only does this help me quickly identify the use of the object it helps the whole team understand.
You can see in the screenshots below I’ve added descriptions to some groups and service accounts.
Here are some non standard accounts, again using the description field I can easily see in Active Directory what these are for.
Again, I don’t do this for all objects, mainly groups, servers, and non standard accounts.
It’s another big time saver.
9. Use Delegation Control Wizard to Set Permissions for non admins (helpdesk)
Active Directory delegation is important to understand so that permissions can be granted without adding users to privileged groups like Domain admins.
Using delegated permissions, you can use the least privileged access method. (Give only rights that are needed)
This helps with security and compliance.
Here are a few examples why you would need to delegate rights.
Helpdesk needs to reset passwords
Update user account info such as phone number or address
Give rights to add and remove computers from domains.
Create, delete and manage user accounts
Modify group membership
In this video, I will give our helpdesk group the rights to reset passwords.
10. Audit Changes to Active Directory
Active Directory auditing is the process of logging changes and events in Active Directory.
Auditing is important for security and compliance reasons.
You should at least be auditing active directory for the following events:
Failed logon attempts
Any changes to objects
Modifications to Privilege Accounts
Group Policy Changes
Before you can audit Active Directory, you must first set up an audit policy.
Steps to audit Active Directory
Step 1: Enable auditing on the domain controller
Step 2: Enable events to audit
Step 3: Review and maintain the audit logs
The above steps are a high level overview.
For detailed steps check out these resources
11. Track Down the Source of Account Lockouts
Random account lockouts are not only frustrating to the end users but for helpdesk and the admin who is troubleshooting it.
Mobile devices and user accounts set to run a service are the most common reasons for account lockouts.
12. Automate Common Active Directory Tasks
I would encourage you to automate anything that you can.
Active directory administration involves many routine tasks such as user account creations, modifications, account removals, computer management, security and so on. Some of these day to day tasks are very time consuming.
Most routine tasks can be automated to make you more efficient at your job.
Here are some common tasks that you should automate:
User account creation
Group Membership Management
File copies, directory cleanups
Windows and 3rd party patches
Decommission of assets
It may be difficult to automate the entire process of some tasks but automate what you can. Automating any part of a repetitive task will save time.
PowerShell is a tool for automating a lot of these tasks.
My team recently automated the whole user account creation process using PowerShell. This involved many steps such as creating the account, adding to groups, creating office 365 mailbox and creating a personal shared folder.
Creating user accounts has never been easier.
13. Understand LDAP Distinguished Name Paths
Active Directory is an LDAP (Lightweight directory access protocol) directory service, this means all access to objects occurs through LDAP.
LDAP uses paths to locate objects, a full path of an object is defined by its distinguished name.
When integrating other systems with Active Directory it often requires some LDAP information.
Unfortunately, every program does this different. Having a little knowledge of distinguished paths will help with integrating other systems with Active Directory.
In most cases you need the distinguished name for the following:
User account (That has read access to AD)
OU where users are located
Here is how you find the distinguished name
Step 1: Open ADUC and browse to the account
Step 2: Right click on the account and select properties
Step 3: Select Attribute editor
Step 4: Find the attribute distinguished Name, then click the view button
Repeat these steps for any other object that is needed.
14. Use Service Accounts (with least privileges)
There will be a time when you need to run a task, script or program with a user account (domain or local).
These are referred to as service accounts.
First of all, don’t use a domain admin account or any other user account for these.
Instead, create a new account to use for each specific service. Your user accounts should have a policy to change their password every x days. If an account is being used and it’s password changes that service is going to stop working.
Here are some additional tips:
Use a descriptive name
Document the account and add a description in Active Directory
Create long complex passwords
Set account to never expire
Restrict what the account can log into
Audit and monitor service accounts usage
When possible create local service accounts instead of domain accounts
Give the service account the least privileges
Don’t use one account for multiple services.
15. Delegate Tasks When You Can
No, I’m not talking about delegating rights to helpdesk.
Over the years the responsibilities of System and network administrators have skyrocketed. Some system administrators are responsible for almost everything from the server down to a printer.
To save your sanity be willing to delegate some tasks to others outside of your team.
I was hesitant on this for years. I worked hard to get everything in order, procedures down and keep systems running 24/7.
BUT as responsibilities grew it reached a point where productivity was down. New projects were slow to roll out.
To resolve this, I learned that it was OK to delegate tasks outside of my team.
Here are a few tasks that I delegated:
Account setups and removal
Managing Print Servers
Modifying Account attributes
Adding and removing domain computers
Modifying group members
Talk to supervisors, talk to other staff members that are willing to take on these roles.
If it doesn’t work out simply revoke their rights and take the task back over (I’ve had to do this a few times).
16. Use Restrictive Groups to Control Local Groups
Restricted groups allow you to centrally manage who is a member of local groups on workstations and servers.
Once common use of this is to add an Active Directory group into the local administrator’s group on all computers. This is an easy way to give your helpdesk or other IT staff admin rights on all the workstations.
It’s also a great way to prevent users or other staff from adding users to the local admin group.
Regular users should not have admin rights, I’ve seen this get way out of control. You can use restricted groups to put a stop to this.
Here is a video tutorial demonstrating adding a domain group into the local administration’s group on domain joined computers.
Here are some good resources and tutorials on using restrictive groups
17. Get Your Domain Time Right
Why should you care about the time?
If the time is not synchronized on all domain controllers, member servers and machines you will encounter problems.
Changes to Active Directory and group policy can disrupt services and effect business operations.
It’s important to put these changes through a change control process to avoid any downtime.
It’s also helpful to document your changes in case something goes wrong, and you need to roll back the changes.
When making critical changes I recommend the following.
Who is responsible for the change
Description of the change
Time of implementation
Duration of change
Has changed been tested
I would advise making the change process as simple as possible. Nothing slows progress down more than a bunch of red tape and paperwork.
21. Use Active Directory as Your Centralized Authentication Source for Everything.
If you’re on-premise or cloud-based applications support Active Directory Authentication, then use it.
It makes authorizations and access to resources so much easier when it’s controlled centrally by Active Directory.
It’s also a huge plus for the end users, they can authenticate with just one username and password.
Any questions? Leave a comment below.
Recommended Tool: SolarWinds Server & Application Monitor (SAM)
This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.
What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.