DO U DMARC? Why you should (and FAQ)


DMARC is not a magic bullet that shoots your mail straight to the inbox. But it does two things well and these two things are (or should be) important to email senders, marketers and IT professionals alike:

  1. It allows you to monitor for email authentication failures and compliance with your organization’s email authentication policies. Meaning, did DKIM break at your ESP? Or does your HR department use an outsource hiring service that sends email as your domain? Did you even know about that? Is it authenticating mail properly? Do you have somebody in some random department with a random Linux box sending out reports to clients using an unsanctioned method that lacks email authentication? DMARC monitoring can help you catch all of this, so that you can help nudge those use cases “back in process” -- help migrate them to a platform that can send authenticated email properly, or help them enable email authentication on whatever email platform they’re using currently.
  2. It helps you tell the bad guys that they won’t find a lot of value in trying to use your domain name to send mail. If you publish that p=reject policy, you’re telling the big mailbox providers to reject mail that purports to be from your domain. That makes it harder for spammers to get spam delivered. (And DMARC monitoring allows you to tell when they’re trying to spoof you.)

I talked a bit about this in an online discussion the other day and a "I promise you we're not a spammer" "email marketer" dropped from the sky, ready to school me on how I’ve got it wrong, how DMARC doesn’t matter because it didn’t help his “email shop” that used rotating domains and tags filled with nonsense to try to get past filters and into the inbox. There's not a lot of common ground to be had there, so I figured it’d be nice to share this out with everybody else who isn’t sending third party advertising or unsolicited mail and clarify a few points. 

Al’s Random DMARC FAQ: DMARC, Spam and Inbox Placement

Does DMARC help you send spam? No.

Does DMARC tell an ISP that your mail is solicited or unsolicited? No. Good senders implement DMARC, but bad guys can implement it, too.

Does DMARC help with inbox placement? No. (There is a bit of an urban legend that even I have been guilty of spreading that says that Gmail might give you a slight reputation boost in an effort to drive DMARC adoption. I wouldn’t really count on this. DMARC could indirectly help with inbox placement in that by making your domain less likely to be used in forged spam, your overall domain reputation could rise as a result. That could be a bit of a stretch.)

Does DMARC keep spammers from using your domain? Mostly yes, with a bit of no. Spammers who actually track bounces will note that bounce rates go through the roof at ISPs like Yahoo, Gmail, mail.ru, etc. when trying to use your domain. That'll make them move on. Spammers who don't track bounces, they might not notice, but at least their delivery rates and response rates will go way down, because the top B2Cs will block their garbage at a higher rate when they try to spoof your domain. 

Does DMARC keep hackers from using your domain? Yes and no. Spear phishers targeting B2B are probably going to test it and see. I recommend using email security that blocks based on DMARC failures. But more broadly, it makes forging your domain less useful as big mailbox providers are unlikely to accept the mail. That sounds like a good thing to me.

Depending on how you use email, DMARC can complicate things. Specifically with email forwarding and email discussion lists. Email forwarding needs to be re-thought a bit (see my thoughts here), and for mailing lists, there's a new spec called ARC that helps to address this, but it isn't widely adopted. A lot of mailing list operators (myself included) have chosen to rewrite list headers on mailing list mail to address DMARC issues. You can find my thoughts and recommendations here.

Post a Comment

Comments