The DMARC perspective: Protecting your sending in the age of stricter enforcement

What is DMARC and why does it matter?

Let’s start with the basics. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication policy and reporting protocol. DMARC authenticates emails and sender identity and proves that messages originate from a legitimate source authorized by your domain.

This helps combat a growing threat – email spoofing. In email spoofing, attackers use a forged sender address to impersonate trusted entities, tricking recipients into clicking malicious links or revealing sensitive information. Here are the basic components of DMARC:

• Authentication: DMARC relies on existing email authentication protocols like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to verify the legitimacy of incoming emails claiming to be from your domain.

• Reporting: DMARC instructs email providers (like Gmail or Yahoo Mail) on how to handle emails that fail authentication checks. This allows you to receive reports on potential spoofing attempts and track unauthorized use of your domain.

• Conformance: DMARC lets you define your preferred action for unauthenticated emails: "reject," "quarantine," or "none (report only)." This allows you to take control of your email reputation and protect your users from phishing attacks.

DMARC policies

DMARC builds on the authentication capabilities of SPF and DKIM, but goes further and allows senders to tell receiving servers how they want messages that fail authentication to be managed. This is done through selecting policies and there are three possible options.

None

The p=none tag makes no changes to your existing arrangement – the inbox provider will pass on the message as normal to the recipient.

Quarantine

The p=quarantine tag means sending unqualified mail to the spam folder until you are 100% sure where these emails are originating.

Reject

p=reject is the end goal of DMARC adoption, and according to our deliverability experts, it’s where the future of the sender requirements is headed. While quarantining is a good start, you don’t want spoofed emails in your customer’s spam folder forever, you want to eventually take a stronger approach.

Before we dive into the changing DMARC landscape, check out our Email’s Not Dead podcast and listen to our episode with Ash Morin of dmarcian.

The DMARC enforcement landscape: A changing game

Previously, both Google and Yahoo practiced a more relaxed approach to DMARC enforcement. Now with the new sender requirements the gloves are coming off…finally.

What sender requirements are we talking about?

Back in October 2023, Google and Yahoo announced they would be enforcing a few key sender requirements including DMARC adoption for bulk senders. And this is where the first wave of confusion and questions came in from senders. Will I be impacted? Am I a bulk sender?

The big question: Are you a bulk sender?

Are you, or are you not a bulk sender? It sounds like an intense line of witness questioning – and many senders probably resonate with that feeling of being in the hotseat when it comes to these requirements. So, here’s deal, Google defines bulk senders as those who send 5,000 emails within a 24-hour window. Seems straightforward enough.

Yahoo's definition, however, is intentionally numberless. And it boils down to this, if you think you’re a bulk sender, you’re a bulk sender.

Challenges to DMARC adoption

So, here’s the next question. If DMARC is so great at validating sender identity and protecting user’s inboxes, why haven’t senders more widely adopted it? The answer is twofold. It’s both more expensive to implement than authentications like SPF and DMARC, and more technically demanding with different challenges depending on the size of your organization. Here are some of the big challenges:

• Shadow IT: In complex IT environments, identifying all sources of email within the organization can be challenging. Shadow IT, where departments use unauthorized email services outside the central IT purview, can make DMARC implementation difficult.

  To overcome this, do a comprehensive audit of all your email sending sources before rolling out DMARC policies.

• Third-party dependencies: Many organizations rely on third-party email service providers (ESPs) for marketing campaigns or transactional emails. Coordinating DMARC implementation with your ESP is essential. Unfortunately, not all ESPs currently offer full DMARC support. To overcome this, advocate for DMARC support from your chosen ESP and consider migrating to a provider that prioritizes secure email delivery.

• Internal communication and change canagement: Implementing DMARC requires collaboration across various departments, including IT, marketing, and customer support. To overcome this, set up clear internal communication about the changes and their benefits for email security and brand reputation is critical for a smooth rollout.

DMARC implementation can be challenging and that’s why providers like dmarcian, and even ESPs like us need to be prepared to talk about DMARC at every level. Implementation challenges will vary depending on your unique organization.

Best practices for navigating DMARC implementation

With the challenges identified, how can you ensure a successful DMARC rollout? Here are some best practices to guide you:

• Start small, scale up: Begin by implementing DMARC with a "p=none" (report only) policy on a subdomain you fully control. Monitor the reports you receive to understand the sending landscape within your organization and identify any potential spoofing attempts. Gradually expand DMARC implementation to other subdomains as you gain confidence.

• Segmentation is your friend: Segment your email marketing efforts. Send marketing emails from a subdomain dedicated for those campaigns, and transactional emails from a separate domain. This allows you to isolate potential issues with marketing emails without impacting transactional emails sent from your primary domain.

• Embrace DMARC advocacy: If your ESP lacks DMARC support, communicate the importance of this security measure and encourage them to prioritize its integration. Consider exploring alternative ESPs that offer robust DMARC functionality.

• Seek expert guidance: DMARC implementation can be complex, especially for large organizations. Don't hesitate to seek help from DMARC specialists or security consultants who can guide you through the process.

Wrapping up

There are two things you need to do to get through this DMARC process. The first is to make sure you’re sending with best practices like great list hygiene and good segmentation. These deliverability basics will help keep your mail sources organized and optimized which makes it easier to manage DMARC.

The second is to find strong resources so you can troubleshoot when you need to. Resources are going to be your best friend when it comes to navigating DMARC adoption. We’ve linked some great information throughout this post, but you should also check out dmarcian.com and their sender resources tab. They’re the DMARC experts and have assembled everything you need to know.

We’ve been covering the Yoogle changes for a while now, and we’ve got some great information about the requirements. Check out our fireside chat with Google and Yahoo to learn more directly from these mailbox providers.