The DMARC perspective: Protecting your sending in the age of stricter enforcement

The world of email is undergoing a significant shift. With Google and Yahoo recently increasing enforcement on DMARC, many organizations are having to implement DMARC or risk potential email rejections. We thought it would be a good idea to step back from the Gmail and Yahoo perspective and look at the advantages and reasons for enforcing DMARC from its best advocates.

Let’s start with the basics. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication policy and reporting protocol. DMARC authenticates emails and sender identity and proves that messages originate from a legitimate source authorized by your domain.

This helps combat a growing threat – email spoofing. In email spoofing, attackers use a forged sender address to impersonate trusted entities, tricking recipients into clicking malicious links or revealing sensitive information. Here are the basic components of DMARC:

• Authentication: DMARC relies on existing email authentication protocols like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify the legitimacy of incoming emails claiming to be from your domain.
• Reporting: DMARC instructs email providers (like Gmail or Yahoo Mail) on how to handle emails that fail authentication checks. This allows you to receive reports on potential spoofing attempts and track unauthorized use of your domain.
• Conformance: DMARC lets you define your preferred action for unauthenticated emails: “reject,” “quarantine,” or “none (report only).” This allows you to take control of your email reputation and protect your users from phishing attacks, as Kate Nowrouzi points out in this video.

DMARC builds on the authentication capabilities of SPF and DKIM, but goes further and allows senders to tell receiving servers how they want messages that fail authentication to be managed. This is done through selecting policies and there are three possible options.

None

The p=none tag makes no changes to your existing arrangement – the inbox provider will pass on the message as normal to the recipient.

Quarantine

The p=quarantine tag means sending unqualified mail to the spam folder until you are 100% sure where these emails are originating.

Reject

p=reject is the end goal of DMARC adoption, and according to our deliverability experts, it’s where the future of the sender requirements is headed. While quarantining is a good start, you don’t want spoofed emails in your customer’s spam folder forever, you want to eventually take a stronger approach.

Before we dive into the changing DMARC landscape, check out our Email’s Not Dead podcast and listen to our episode with Ash Morin of dmarcian.

Previously, both Google and Yahoo practiced a more relaxed approach to DMARC enforcement. Now with the new sender requirements the gloves are coming off…finally.

“We always wanted a lot of organization. We pushed DMARC adoption when there was a carrot on a stick. Bimi was one of those (carrots), lower premium of cybersecurity insurance, deliverability, security…but when you have names like Google and Yahoo saying, ‘you better do this’ people listen.”

Ash Morin Director of Deployment Services at dmarcian

Back in October 2023, Google and Yahoo announced they would be enforcing a few key sender requirements including DMARC adoption for bulk senders. And this is where the first wave of confusion and questions came in from senders. Will I be impacted? Am I a bulk sender?

Are you, or are you not a bulk sender? It sounds like an intense line of witness questioning – and many senders probably resonate with that feeling of being in the hotseat when it comes to these requirements. So, here’s deal, Google defines bulk senders as those who send 5,000 emails within a 24-hour window. Seems straightforward enough.

Yahoo’s definition, however, is intentionally numberless. And it boils down to this, if you think you’re a bulk sender, you’re a bulk sender.

“The number is not 5,000, or 6,000, or 4,000. If you send 4,999 messages, you still have to follow the requirements. If you’re sending the same email to a lot of people, you’re a bulk sender.”

Marcel Becker Sr. Director of Product Management at Yahoo

So, here’s the next question. If DMARC is so great at validating sender identity and protecting user’s inboxes, why haven’t senders more widely adopted it? The answer is twofold. It’s both more expensive to implement than authentications like SPF and DMARC, and more technically demanding with different challenges depending on the size of your organization. Here are some of the big challenges:

• Shadow IT: In complex IT environments, identifying all sources of email within the organization can be challenging. Shadow IT, where departments use unauthorized email services outside the central IT purview, can make DMARC implementation difficult. To overcome this, do a comprehensive audit of all your email sending sources before rolling out DMARC policies.

“For enterprises the challenging Is mostly shadow IT, and by that, I mean business units within the organization have individual needs for services. So, they go out and purchase systems for things like benefits management that sends reports every month. And the service does that by essentially spoofing the organizations domain – in a legitimate way – but that type of mail source can make it harder to achieve DMARC alignment.”

Ash Morin Director of Deployment Services at dmarcian

• Third-party dependencies: Many organizations rely on third-party email service providers (ESPs) for marketing campaigns or transactional emails. Coordinating DMARC implementation with your ESP is essential. Unfortunately, not all ESPs currently offer full DMARC support. To overcome this, advocate for DMARC support from your chosen ESP and consider migrating to a provider that prioritizes secure email delivery.

• Internal communication and change canagement: Implementing DMARC requires collaboration across various departments, including IT, marketing, and customer support. To overcome this, set up clear internal communication about the changes and their benefits for email security and brand reputation is critical for a smooth rollout.

DMARC implementation can be challenging and that’s why providers like dmarcian, and even ESPs like us need to be prepared to talk about DMARC at every level. Implementation challenges will vary depending on your unique organization.

With the challenges identified, how can you ensure a successful DMARC rollout? Here are some best practices to guide you:

• Start small, scale up: Begin by implementing DMARC with a “p=none” (report only) policy on a subdomain you fully control. Monitor the reports you receive to understand the sending landscape within your organization and identify any potential spoofing attempts. Gradually expand DMARC implementation to other subdomains as you gain confidence.

“If you don’t have DMARC now, p=none is the first step. And that’s also the minimum being required by Google and Yahoo.”

Ash Morin Director of Deployment Services at dmarcian

• Segmentation is your friend: Segment your email marketing efforts. Send marketing emails from a subdomain dedicated for those campaigns, and transactional emails from a separate domain. This allows you to isolate potential issues with marketing emails without impacting transactional emails sent from your primary domain.

“A segmentation strategy and segmenting your email stream is very important for a variety of reasons. Security is one of them.”

Ash Morin Director of Deployment Services at dmarcian

• Embrace DMARC advocacy: If your ESP lacks DMARC support, communicate the importance of this security measure and encourage them to prioritize its integration. Consider exploring alternative ESPs that offer robust DMARC functionality.
• Seek expert guidance: DMARC implementation can be complex, especially for large organizations. Don’t hesitate to seek help from DMARC specialists or security consultants who can guide you through the process.

There are two things you need to do to get through this DMARC process. The first is to make sure you’re sending with best practices like great list hygiene and good segmentation. These deliverability basics will help keep your mail sources organized and optimized which makes it easier to manage DMARC.

The second is to find strong resources so you can troubleshoot when you need to. Resources are going to be your best friend when it comes to navigating DMARC adoption. We’ve linked some great information throughout this post, but you should also check out dmarcian.com and their sender resources tab. They’re the DMARC experts and have assembled everything you need to know.

We’ve been covering the Yoogle changes for a while now, and we’ve got some great information about the requirements. Check out our fireside chat with Google and Yahoo to learn more directly from these mailbox providers.

Author: Em Blitstein Em Blitstein is a Sr. Content Marketing Manager at Sinch Mailgun. She manages the Mailgun Blog, curates top-notch content, and falls down SEO rabbit holes. She writes about all things email and loves a good dev deep dive.