The sending of fraudulent email has occurred since email was first invented. There’s nothing in the design of email protocols to prevent it. Over the last several years, many individuals and companies involved in sending and receiving email have been working on formalizing policies for dealing with this problem. Technologies such as SPF and DKIM were developed over a decade ago to provide greater assurance of the authorship of an email message. Even with wide adoption, they haven’t helped to significantly reduce the flow of fraudulent and deceptive email; it’s unclear if mail that isn’t DKIM or SPF compliant is indeed fraudulent. The solution, DMARC (Domain-based Message Authentication, Reporting & Conformance), is designed to let mail senders and receivers cooperate on how to handle mail that fails the SPF and DKIM tests.
What is DMARC?
DMARC is a set of rules that allow senders and receivers to coordinate their efforts in detecting and handling fraudulent mail. Mail senders publish a policy they wish receivers to follow, and receivers send reports to senders about how much spoofed or fraudulent mail they detected and rejected. A recipient using DMARC will check both SPF and DKIM to determine who is the sender of the mail and then apply the policy published for that domain. A policy will define from where legitimate mail comes, what electronic signatures will be on it, whom to notify when mail does not match, and what to do with that mail (discard it, or deliver it normally). If there are no policies for that domain, then the mailbox provider is free to act based on whatever policy they see fit.
Why are Mailbox Providers using DMARC?
Almost all of the large mailbox providers (Yahoo!, GMail, Hotmail, AOL, etc.) are using DMARC to improve the quality of their users’ inboxes. For example, they can easily distinguish mail that is sent by PayPal from mail that is spoofing PayPal. It’s not hard to see the benefit of having assurance that mail purporting to be from a financial institution really is from them.
A new trend among larger mailbox providers is to publish a DMARC policy limiting use of the email addresses they provide. So far Yahoo! and AOL have done so, and there are indications that Gmail will too. These DMARC policies cause great inconvenience for customers who use those email addresses for other services, such as sending receipts from an eBay store. Nevertheless, the policies provide a significant security benefit to the majority of their users.
What Should You Do About DMARC?
If you’re using MailerMailer with an email address from a mailbox provider that publishes a restrictive DMARC policy, then you have two choices: choose another mailbox provider, or get and use your own private domain name. If you already have your own domain name and are considering publishing a DMARC policy, be sure to include all sources of mail within your policy, such as MailerMailer. For MailerMailer, the only way for us to comply with any policy you may publish is to include us in your SPF record. Any mail we send on your behalf will never pass the DKIM test for your domain.
There really is no point in sending mail using an address covered by the DMARC policy from a large mailbox provider, except with their own service. Virtually all subscribers on your list will bounce the mail due to the wide adoption of DMARC by receivers. In a forthcoming release later this summer, MailerMailer will automatically detect if your sending address will cause your mailing to fail. We’ll warn you that there’s a policy issue, and also employ evasive actions including substituting your sending address for one of our own and setting the reply-to address to your address.
As always, if you have any concerns or questions on how to ensure your mail gets delivered feel free to contact us.