Not having DMARC can hurt but having it may hurt more

Properly implemented DMARC should not affect your deliverability. You can guess what I’m going to say next.

Last month I wrote about how even if you aren’t implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) it may still affect you via email authentication and header alignment.

It may seem then that if DMARC is going to have an effect anyway why not just go ahead with a full implementation. Go the whole hog and implement a quarantine or reject policy.

Well there’s a little bad news for marketers. Even though DMARC is gaining widespread adoption, and I fully expect that adoption to continue, there are a couple of barriers to implementation, one of which is outside of our control.

The most obvious issue of course is confidence. A reject or quarantine policy tells receiving systems to reject or quarantine any email using your domain that fails authentication. If you’re going to implement such a policy you first need to be quite certain all your outbound email is properly authenticated. In a large organization that can be a herculean, some might say sisyphean, task.

The good news is that DMARC offers a notify policy option. With this policy setting receivers should continue to treat your email as if you had no policy but notify you of any failures. This can be extremely helpful in tracking down those wayward systems (or groups) that are not yet authenticating properly.

The second issue for marketers is a little more subtle and unfortunately somewhat outside of our control. DMARC still has a problem with forwarding and not all email servers handle it well. The image below shows a Google Apps status alert sent to one of my Gmail addresses. Google put the alert (its own email) in the spam folder for failing authentication.

It did this because google.com has a reject DMARC policy. The email failed authentication because it was delivered via a server that broke the DKIM (DomainKeys Identified Mail) signature and of course SPF (Sender Policy Framework) since that just doesn’t handle forwarding.

DMARC

What this means for marketers is that by setting a reject or quarantine policy recipients whose email is being forwarded may never receive your messages. Typically this is a fairly small number of users but when you’re sending large amounts of email it can add up.

The problem is going to get better over time. Forwarding processes will be updated to accommodate DMARC’s restrictions but for now it’s a challenge and one that as a sender you cannot directly address.

My advice to marketers regarding authentication is as I said last month — it’s time to get your ducks in a row.

Regarding DMARC my advice is to start with a notify policy and monitor how many failures you’re seeing. There are tools and services that can help you manage and make sense of the reports (dmarc.org provides a useful list).

In addition to tracking down wayward senders within your organization these reports will help you identify bad actors that may be spoofing your email and help you determine if and how much of your marketing email is being forwarded via a non-compliant system.

I know, I know, even more to put on your full plate but like it or not authentication and DMARC are important to ensuring the integrity of the email channel. Not just for marketing but for all communications.

Related reading

email3-1
Gmail-Logo
Gmail-Logo
channels
<