DMARC is Here to Stay. Now What?

e-Commerce is a substantial portion of what happens on the Internet, and email marketing powers much of this ecosystem. Like everything online, there are risks to both users and brands through email. DMARC (Domain-based Message Authentication, Reporting, and Conformance) can help companies to protect their customers and their brands from abuse.

DMARC is of increasing importance to the emailing marketing ecosystem. The standard was developed over five years ago, and since then, it has been adopted by millions of sending domains and hundreds of receivers. However, there are still a large number of senders who are not at enforcement levels or who are not using DMARC at all.

Despite this, according to the DMARC statistics from DMARC.org, valid DMARC records confirmed via DNS have more than quadrupled. In 2016, only 80,275 DMARC records were valid. In June 2021, there were 3,461,520 valid DMARC records.

Why should senders implement DMARC now?

DMARC is becoming more and more widely adopted, and its test phase on large receiver platforms has come to an end. Eventually, receiver platforms may switch to rejecting invalid messages that do not use DMARC.  If this were to happen, this could create deliverability issues for impacted domains and related message streams.  Beginning the work toward a robust DMARC deployment in the near future will help if this becomes a reality further down the road.

DMARC in a nutshell

DMARC can help to ensure authentication of communication, and provides reporting on how domains are being used or abused. It is dependent on the outcome of the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) settings.

SPF is effectively a list of source IPs detailing where the domain is allowed to send from, and DKIM governs the cryptographic signature of messages.

Either the SPF or DKIM evaluation must pass and align.  If they do not, one of the following policies should be applied: ‘none’= do nothing, ‘quarantine’= straight to spam folder, or ‘reject’= refuse message. As a result,when combined with an enforcing policy, only authenticated emails sent from an authorized IP address or those that pass DKIM verification will be delivered to the recipient.

Why should receivers send reports?

If there are no reports to read, how will a sender know to deploy or trust DMARC? Reports from receivers also inform senders about any misconfigurations in their DKIM/SPF policies.

Why are aggregate reports important for both the sending and the receiving sides?

Aggregate reports are a cornerstone of DMARC (the ‘R’ stands for ‘reporting’).It also allows domain holders to see that the receiver is utilizing DMARC to protect domains/brands and that their requested policy is being honored. It also helps identify from whom/where (potentially) fraudulent messages are coming from and if there are any misconfigurations in the DKIM/SPF settings.

Such reports are not just useful for brands but can equally be useful for mailbox providers (MBPs).

How will implementing DMARC change business processes for ESPs?

DMARC will change your entire onboarding process for customers. Your customers will need an SPF policy that does not let all messages pass. Your platform will also need to be part of your customers’ SPF policy, and they will need to DKIM-sign messages. In return, you will need to DKIM-sign your customers’ messages. All of this information will need to be accessible in your customers’ DNS zones.

The sending of messages will become more complex. Before sending messages, it is necessary to check first whether the messages will conform to DMARC. It is also important to check if messages comply with receiver platform policies.

Also required is software to DKIM-sign messages on behalf of your customers and cryptographic keys to sign and verify email messages. These keys are not used to encrypt the message, but to calculate checksums from the message’s header and body section and then sign these checksums on the sender side. The receiver can download the key’s public part and use it to verify the cryptographic signature. If the checksums match, the message has not been altered and was indeed sent from the sender’s domain.

Patrick Koetter is an email expert, and CEO and board member of sys4 AG, which specializes in email, DNS, and the development of highly secure platforms and services. He contributes his knowledge and experience to eco as an expert and as Leader of the Email and Anti-Abuse Competence Groups.

Alex Brotman has been working in the Anti-Abuse & Messaging Policy group at Comcast since joining the company in 2011, and is currently a Senior Engineer. This group is responsible for ensuring customers get the messages they want, and doing their best to keep undesirable messages out. Alex has also worked within M3AAWG as a Data & Identity Protection Committee co-chair since 2014, working to publish documents and best practices that help the community at large ensure data is transmitted securely. As part of that work, Alex has helped to author two IETF RFCs on the topic of messaging security, and continues to work on additional standardization efforts.